From: Richard Bowen <rbowen@apache.org>
Date: Thu, 7 Nov 2002 03:03:33 +0000 (+0000)
Subject: As per discussion on users@httpd.apache.org and a little on IRC, clarify
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea19566ec902e0e6dcba0a1714f3f2713034f9ca;p=apache

As per discussion on users@httpd.apache.org and a little on IRC, clarify
that "third party" modules can do basically whatever they want, and
typically do it as the "User" uid, so Caveat Administrator


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97435 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en
index 6ceccc3b9f..42db5d7e15 100644
--- a/docs/manual/misc/security_tips.html.en
+++ b/docs/manual/misc/security_tips.html.en
@@ -7,7 +7,7 @@
       --><title>Security Tips - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs-project/">Documentation</a> &gt; <a href="../">Version 2.0</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
     <p>Some hints and tips on security issues in setting up a web server. 
     Some of the suggestions will be general, others specific to Apache.</p>
-  </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
+  </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li><li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li><li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li><li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li><li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li><li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li><li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li><li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
   
     
     
@@ -139,6 +139,18 @@
     <p>Most sites choose this option over the non script aliased CGI 
     approach.</p>
     
+  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="dynamic" id="dynamic">Other sources of dynamic content</a></h2>
+
+  
+
+  <p>
+  Embedded scripting options which run as part of the server itself,
+  such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
+  identify of the server itself, (see the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive) and therefore
+  scripts executed by these engines potentially can access anything the
+  server user can. some scripting engines may provide restrictions, but
+  it is better to be safe and assume not.</p>
+
   </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="systemsettings" id="systemsettings">Protecting System Settings</a></h2>
   
     
diff --git a/docs/manual/misc/security_tips.xml b/docs/manual/misc/security_tips.xml
index ddc690c0ad..60dee63602 100644
--- a/docs/manual/misc/security_tips.xml
+++ b/docs/manual/misc/security_tips.xml
@@ -124,7 +124,7 @@
     <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>.</p>
     
   </section>
-  
+
   <section id="nsaliasedcgi">
   
     <title>Non Script Aliased CGI</title>
@@ -155,6 +155,21 @@
     <p>Most sites choose this option over the non script aliased CGI 
     approach.</p>
     
+  </section>
+
+   <section id="dynamic">
+
+  <title>Other sources of dynamic content</title>
+
+  <p>
+  Embedded scripting options which run as part of the server itself,
+  such as mod_php, mod_perl, mod_tcl, and mod_python, run under the
+  identify of the server itself, (see the <directive 
+  module="mpm_common">User</directive> directive) and therefore
+  scripts executed by these engines potentially can access anything the
+  server user can. some scripting engines may provide restrictions, but
+  it is better to be safe and assume not.</p>
+
   </section>
   
   <section id="systemsettings">