apache configtest
Colin Walters
walters at redhat.com
Mon Oct 25 13:49:35 UTC 2004
On Mon, 2004-10-25 at 10:20 +0100, Joe Orton wrote:
> On Sun, Oct 24, 2004 at 09:55:53PM -0400, Colin Walters wrote:
> > On Sun, 2004-10-24 at 12:19 +0100, Joe Orton wrote:
> >
> > > Oh, this is still so insane! Do you want two copies of libphp4.so, one
> > > which contains just the "config testing" code too, or what?
> >
> > No, that wouldn't be necessary. Each domain would have the privileges
> > to map libphp4.so and use it.
>
> So why would any PHP code be deemed to be safe to have terminal access,
> but not certain bits of httpd code?
It doesn't have anything to do with the safety of PHP. Rather, it has
to do with the fact that SELinux does *not* distinguish between
different shared libraries within a single process. Once a process
running as httpd_t loads a shared library, that library is part of the
process and any code in it runs as httpd_t.
> There's also the issue that httpd *does* need terminal access during
> during startup for configurations using encrypted private SSL keys:
> mod_ssl will open /dev/tty to prompt for a password.
Ugh. Stephen's suggestion of having an init proxy here makes the most
sense to me.
More information about the fedora-test-list
mailing list