Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION
Marc Andreessen (marca@eit.COM)
Tue, 8 Feb 1994 19:56:50 --100
> * SECURITY LEAK in ncsa httpd - PLEASE READ!!!! by Markus Stumpf
> * written on Feb 8, 4:52pm.
> *
> * We run httpd from inetd and I always thought (but never checked)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> * that User and Group (from the conf oder httpd.h files) applies
> * in that case, too.
> * This is NOT true! (and should be stated clearly in the conf files
> * IMHO).
I've never been able to figure out why someone would advertise his own
lack of understanding of a situation to a large group of people in
screaming capital letters.
In any case, the docs for User -- for example -- have always stated:
"This directive is only applicable if you are using a ServerType of
standalone."
An erroneous assumption does not a SECURITY LEAK make, when the docs
clearly state the facts.
Cheers,
Marc