Whack people upside the head if they try to run apache as root. (154aef63) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

APACHE_1_2_X/src/CHANGES

+4 −1

Original line number	Diff line number	Diff line
		@@ -13,6 +13,9 @@ Changes with Apache 1.2.1
		(headers, readmes, titles), mod_negotiation (type maps), or
		mod_cern_meta (meta files). [Dean Gaudet]

		*) SECURITY: Apache will refuse to run as "User root" unless
		BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet]

		*) CONFIG: "HostnameLookups" now defaults to off because it is far better
		for the net if we require people that actually need this data to
		enable it. [Linus Torvalds]

+15 −1

Original line number	Diff line number	Diff line
		@@ -886,9 +886,23 @@ const char set_user (cmd_parms cmd, void dummy, char arg)
		else {
		cmd->server->server_uid = user_id;
		fprintf(stderr,
		"Warning: User directive in <VirtualHost> requires SUEXEC wrapper.\n");
		"Warning: User directive in <VirtualHost> "
		"requires SUEXEC wrapper.\n");
		}
		}
		#if !defined (BIG_SECURITY_HOLE)
		if (cmd->server->server_uid == 0) {
		fprintf (stderr,
		"Error:\tApache has not been designed to serve pages while running\n"
		"\tas root. There are known race conditions that will allow any\n"
		"\tlocal user to read any file on the system. Should you still\n"
		"\tdesire to serve pages as root then add -DBIG_SECURITY_HOLE to\n"
		"\tthe EXTRA_CFLAGS line in your src/Configuration file and rebuild\n"
		"\tthe server. It is strongly suggested that you instead modify the\n"
		"\tUser directive in your httpd.conf file to list a non-root user.\n");
		exit (1);
		}
		#endif

		return NULL;
		}