Marc Slemko wrote:
> Have you actually looked at the code before spouting silly garbage like it
> being "bullet proof"?
> Do you really want to trust a server that normally runs as root and that,
> if it fails to switch UIDs before serving a document, just logs a message
> and proceeds as root? I don't call that bullet proof. While you wouldn't
> be running it as root anyway on a firewall, it does indicate something
> about the software. I'm sure it can be made secure, but your clueless
> claim that it is god and never ever has any problems while Apache is full
> of buffer overflows (if it is, I sure don't see them) is foolish.
It really doesn't matter, whether it runs as root or as user. Every user
can become root, with some common exploits. There are some patches for
chroot() and chuid(), which are urgently needed.
I really had some very serious problems with perl cgi's and apache. I
also see some SSI problems on geek-girl which have been patched, thanx
to you as co-develloper of APACHE. Mostly the security of programs (like
apache) heavily depend on the quality of lib's
(popen(),gets,sprintf.race-condition..problems). As programer you can't
claim, that apache binary is ok, because there are enough included libs
left, which are quite unsecure. So - you may be right, if you claim,
that apache is secure, from the point of source-review. I , personally,
only trust a chroot() version of apache or CERN.
cu, Guido Stepken