Kewl...

["Jason A. Dour" <ja...@bcc.louisville.edu>]

-----BEGIN PGP SIGNED MESSAGE-----

Wow...  Whoduv thunk suCGI would cause this much fuss...  I haven't even
released anything past the first beta...

I haven't even had time to cautch my breath and look at the patch Randy
sent to me late last night.  I slept on it, and awoke to a dozen plus
messages about the dang thing...

A couple of issues:

1.  I don't mind the Apache License being applied to sucgi.c.  As long as
the MotherSoft header stays in there...everything's cool.  It was
originally GPL'd via Majordomo...before it went under the vast
reconstructive surgery for suCGI.  8P

2.  suCGI beta one (known in these parts as Beta-Carotene) was meant to
address ~userdir requests *only.*  Neither the internal code nor the
wrapper were designed for generic host/directory use...  Those were on the
drawing board for this weekend...but Randy beat me to it.

3.  Randy's approach is much as mine would have been.  My plans were as
follows:
	* centralize code beneficial to cgi and includes. (i.e. http_exec)
	* code a paranoid() call...  paranoid() would contain all the
	  paranoia checks I had in mind.
	* alter mod_cgi and mod_include to work with the new design.

4.  Back layer.  Son Of Beta-Carotene was going to have logging/debugging. 
I haven't checked the latest post of Randy's but I think he beat me to
that as well.  Also, my design philosophy for the back-end was KISS.  I
only tried to watch for major system problems, because the server was to
do all of the paranoia checking...

5.  paranoid()  Here are my thoughts on the matter.  If the requested cgi
or include resource is located in a suCGI location/host, then call
paranoid.  If not, execute per norm.  Then, paranoid's behaivour is
different per request...  For userdirs, it checks to make certain the
program requested is owned by the same user as the userdir, that it is not
setuid'd, and that it is not root's (or is not among a pre-defined list
for root scripts). If it passes all of these checks, then it will pass
back an all clear.  For vhosts/locations, it checks to see if the program
is owned by the user defined in the config file.  In the case of Group
being set, it would check that as well.  Also, the setuid bit should not
be set for either user or group.  If it passes all of these checks, send
to the wrapper. 

Ah well.  I'm babbling...

I also am quite baffled by the whole situation.  I receive a patch in
email regarding a product I'm developing...  Suddenly, this patch is
carried to the rest of the server development people whilst I sleep,
before I've had a chance to look it over. Now before all you Apache folk
start chiding me for sleeping...let me finish.  8P Yes, my tongue is
planted firmly in my cheek on this...but I really would have liked to have
had a little time on this one, Randy.  This has been my baby...and I'm
glad you want to help...but I can't help feeling a little ruffled by this.
Ah well, I know you and everyone the Apache folk mean well, so no big
thing...I just had to say it. 

Randy, Nathan, and anyone else who is interested in pursuing this, great! 
I'd love to see this capability come to out of the box Apache.  I think it
would win over a few more hearts and minds from other server software...
I'm more than willing to help.  But this old country boy is just a little
overtaken by the speed here...  Mind if I try to catch up before y'all get
too far ahead of me?

Jason
+ Jason A. Dour                       jad@bcc.louisville.edu               +
| Programmer Analyst II               http://www.louisville.edu/~jadour01/ |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMbIPwZo1JaC71RLxAQGc8QP+MFMAqJd1rwYuILHZWCNa8ot3wjy8htms
Brt+BNxv1lsNWpdesKkzywGoO9sKbDJdW3pz5SdQks7Iiyh82f8PmePuwpp42m7u
9fLEHRtYmbgyHQ1zF1E3Gzprr6VpFo9NUWPwuEqZivq8MpJTiQfcLevVd7e7aTdR
2GyklPICQVk=
=s/QO
-----END PGP SIGNATURE-----