You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sh...@ny.frb.org on 2003/12/01 18:34:12 UTC

Re: [users@httpd] changing suexec settings

The idea occurred to me as you can see in my original e-mail.
It just strikes me that it seems there isn't a more flexible and less time 
consuming way to change the suexec settings without having to re-install 
the entire apache in a dummy directory. Although security should not be 
taken lightly, the current way to modify the suexec settings is kind of 
inflexible.

--------------------------------------------------------------------------------------------

Shen C. Yang

Information Technology Specialist
Federal Reserve Bank of New York - www.newyorkfed.org
Tel: (212) 720 2857
e-mail: shen.yang@ny.frb.org

Any comments or statements made in this transmission reflect the views of 
the sender and are not necessarily the views of the Federal Reserve Bank 
of New York.




Kyle Dent <kd...@seaglass.com>
11/28/2003 17:29
Please respond to users

 
        To:     users@httpd.apache.org
        cc: 
        Subject:        Re: [users@httpd] changing suexec settings

On Fri, 28 Nov 2003 Shen.Yang@ny.frb.org wrote:

> I had apache 2.0.48 installed and working the way I want, in particular,
> suexec with multiple vhosts.
> After a couple of dry runs, I found out that the default locations of
> suexec logfile (--with-suexec-logfile) and docroot 
(--with-suexec-docroot)
> are not the best for me.
> After reading the suexec documentation, my understanding is that I have 
to
> reinstall apache with the suexec settings that I want.
> In my case, this means reinstalling couple third-party modules. It seems
> that I have the option of doing a plain vanilla apache install in a temp
> directory with all the suexec settings that I want and copy the new 
suexec
> binary over the old suexec binary in the production directory.
>
> I wonder if there is a simpler and faster way to change the settings of
> suexec without reinstalling apache.

Recompile with the options you want. When you're finished, you'll
have an httpd binary in the top level directory of the Apache
source. Stop your web server and copy that over the existing
one.

Kyle


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] changing suexec settings

Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 1 Dec 2003 Shen.Yang@ny.frb.org wrote:

> The idea occurred to me as you can see in my original e-mail.
> It just strikes me that it seems there isn't a more flexible and less time
> consuming way to change the suexec settings without having to re-install
> the entire apache in a dummy directory. Although security should not be
> taken lightly, the current way to modify the suexec settings is kind of
> inflexible.

As has been pointed out, you don't need to reinstall apache.  You only
need to recompile and then pick the suexec binary out of the support/
directory.

suexec is a suid root binary.  This is about the most dangerous type of
program that you can run.  It is therefore inflexible *by design* to
prevent bad things from happening.

Unfortunately, flexibility and security are sometimes inversely related.
And with suexec, security must win.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] changing suexec settings

Posted by Kyle Dent <kd...@seaglass.com>.
On Mon, 1 Dec 2003 Shen.Yang@ny.frb.org wrote:

> The idea occurred to me as you can see in my original e-mail.
> It just strikes me that it seems there isn't a more flexible and less time
> consuming way to change the suexec settings without having to re-install
> the entire apache in a dummy directory. Although security should not be
> taken lightly, the current way to modify the suexec settings is kind of
> inflexible.

I'm saying don't *install* everything into a dummy directory.
Just rebuild and copy the single 'httpd' binary into place.

Kyle


>
> Any comments or statements made in this transmission reflect the views of
> the sender and are not necessarily the views of the Federal Reserve Bank
> of New York.
>
>
>
>
> Kyle Dent <kd...@seaglass.com>
> 11/28/2003 17:29
> Please respond to users
>
>
>         To:     users@httpd.apache.org
>         cc:
>         Subject:        Re: [users@httpd] changing suexec settings
>
> On Fri, 28 Nov 2003 Shen.Yang@ny.frb.org wrote:
>
> > I had apache 2.0.48 installed and working the way I want, in particular,
> > suexec with multiple vhosts.
> > After a couple of dry runs, I found out that the default locations of
> > suexec logfile (--with-suexec-logfile) and docroot
> (--with-suexec-docroot)
> > are not the best for me.
> > After reading the suexec documentation, my understanding is that I have
> to
> > reinstall apache with the suexec settings that I want.
> > In my case, this means reinstalling couple third-party modules. It seems
> > that I have the option of doing a plain vanilla apache install in a temp
> > directory with all the suexec settings that I want and copy the new
> suexec
> > binary over the old suexec binary in the production directory.
> >
> > I wonder if there is a simpler and faster way to change the settings of
> > suexec without reinstalling apache.
>
> Recompile with the options you want. When you're finished, you'll
> have an httpd binary in the top level directory of the Apache
> source. Stop your web server and copy that over the existing
> one.
>
> Kyle
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org