From 39e4c5706d896502d111ef71f57e1136d6f12bb5 Mon Sep 17 00:00:00 2001 From: dgaudet Date: Sat, 28 Jun 1997 22:00:16 +0000 Subject: [PATCH] Whack people upside the head if they try to run apache as root. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3@78418 13f79535-47bb-0310-9956-ffa450edef68 --- APACHE_1_2_X/src/CHANGES | 5 ++++- APACHE_1_2_X/src/main/http_core.c | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/APACHE_1_2_X/src/CHANGES b/APACHE_1_2_X/src/CHANGES index 8d3f07596e8..b88577e7acc 100644 --- a/APACHE_1_2_X/src/CHANGES +++ b/APACHE_1_2_X/src/CHANGES @@ -13,10 +13,13 @@ Changes with Apache 1.2.1 (headers, readmes, titles), mod_negotiation (type maps), or mod_cern_meta (meta files). [Dean Gaudet] + *) SECURITY: Apache will refuse to run as "User root" unless + BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet] + *) CONFIG: "HostnameLookups" now defaults to off because it is far better for the net if we require people that actually need this data to enable it. [Linus Torvalds] - + *) mod_include was not properly changing the current directory. [Marc Slemko] PR#742 diff --git a/APACHE_1_2_X/src/main/http_core.c b/APACHE_1_2_X/src/main/http_core.c index 0bc6ece1f75..f3cf492627a 100644 --- a/APACHE_1_2_X/src/main/http_core.c +++ b/APACHE_1_2_X/src/main/http_core.c @@ -886,9 +886,23 @@ const char *set_user (cmd_parms *cmd, void *dummy, char *arg) else { cmd->server->server_uid = user_id; fprintf(stderr, - "Warning: User directive in requires SUEXEC wrapper.\n"); + "Warning: User directive in " + "requires SUEXEC wrapper.\n"); } } +#if !defined (BIG_SECURITY_HOLE) + if (cmd->server->server_uid == 0) { + fprintf (stderr, +"Error:\tApache has not been designed to serve pages while running\n" +"\tas root. There are known race conditions that will allow any\n" +"\tlocal user to read any file on the system. Should you still\n" +"\tdesire to serve pages as root then add -DBIG_SECURITY_HOLE to\n" +"\tthe EXTRA_CFLAGS line in your src/Configuration file and rebuild\n" +"\tthe server. It is strongly suggested that you instead modify the\n" +"\tUser directive in your httpd.conf file to list a non-root user.\n"); + exit (1); + } +#endif return NULL; } -- 2.47.2