Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION

Marc Andreessen (marca@eit.COM)
Tue, 8 Feb 1994 19:56:50 --100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Miroslaw Budzanowski: "ilp"
Previous message: Kevin 'Kev' Hughes: "Re: proposals for log file format changes"

> * SECURITY LEAK in ncsa httpd - PLEASE READ!!!! by Markus Stumpf
> * written on Feb 8, 4:52pm.
> *
> * We run httpd from inetd and I always thought (but never checked)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> * that User and Group (from the conf oder httpd.h files) applies
> * in that case, too.
> * This is NOT true! (and should be stated clearly in the conf files
> * IMHO).

I've never been able to figure out why someone would advertise his own
lack of understanding of a situation to a large group of people in
screaming capital letters.

In any case, the docs for User -- for example -- have always stated:

"This directive is only applicable if you are using a ServerType of
standalone."

An erroneous assumption does not a SECURITY LEAK make, when the docs
clearly state the facts.

Cheers,
Marc

Next message: Miroslaw Budzanowski: "ilp"
Previous message: Kevin 'Kev' Hughes: "Re: proposals for log file format changes"