Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION

marca@eit.COM (Marc Andreessen)

Mail folder: WWW Talk Jan 94-present
Next message: Miroslaw Budzanowski: "ilp"
Previous message: Kevin 'Kev' Hughes: "Re: proposals for log file format changes"
In-reply-to: Rob McCool: "Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION"
Reply: ajcole@cbl.leeds.ac.uk: "Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION"

Errors-To: secret@www0.cern.ch
Date: Tue, 8 Feb 1994 19:56:50 --100
Message-id: <199402081903.TAA07489@threejane>
Errors-To: secret@www0.cern.ch
Reply-To: www-talk@www0.cern.ch
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: marca@eit.COM (Marc Andreessen)
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 852

>  * SECURITY LEAK in ncsa httpd - PLEASE READ!!!!  by Markus Stumpf
>  *    written on Feb  8,  4:52pm.
>  *
>  * We run httpd from inetd and I always thought (but never checked)
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>  * that User and Group (from the conf oder httpd.h files) applies
>  * in that case, too.
>  * This is NOT true! (and should be stated clearly in the conf files
>  * IMHO).

I've never been able to figure out why someone would advertise his own
lack of understanding of a situation to a large group of people in
screaming capital letters.

In any case, the docs for User -- for example -- have always stated:

"This directive is only applicable if you are using a ServerType of
standalone."

An erroneous assumption does not a SECURITY LEAK make, when the docs
clearly state the facts.

Cheers,
Marc