Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION

Marc Andreessen ([email protected])
Tue, 8 Feb 1994 19:56:50 --100


> * SECURITY LEAK in ncsa httpd - PLEASE READ!!!! by Markus Stumpf
> * written on Feb 8, 4:52pm.
> *
> * We run httpd from inetd and I always thought (but never checked)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> * that User and Group (from the conf oder httpd.h files) applies
> * in that case, too.
> * This is NOT true! (and should be stated clearly in the conf files
> * IMHO).

I've never been able to figure out why someone would advertise his own
lack of understanding of a situation to a large group of people in
screaming capital letters.

In any case, the docs for User -- for example -- have always stated:

"This directive is only applicable if you are using a ServerType of
standalone."

An erroneous assumption does not a SECURITY LEAK make, when the docs
clearly state the facts.

Cheers,
Marc