apache configtest
Joe Orton
jorton at redhat.com
Sun Oct 24 11:19:45 UTC 2004
On Thu, Oct 21, 2004 at 12:36:35PM -0400, Colin Walters wrote:
> On Thu, 2004-10-21 at 15:22 +0900, Makoto Otsu wrote:
> > Apache configtest not work
> >
> > The following commands display nothing.
> >
> > # service httpd configtest
> >
> > or
> >
> > # httpd -t
>
> Right - this is a consequence of the SELinux policy for Apache. We do
> not want the httpd process to have access to your terminal. If it did,
> a compromised or buggy httpd process could do very bad things.
>
> The fix is to break the config-testing bit into its own binary. We
> could have a wrapper around /usr/sbin/httpd which would parse arguments,
> and exec /usr/sbin/httpd-configtest if the -t option is passed,
> otherwise we exec /usr/sbin/httpd.real.
Oh, this is still so insane! Do you want two copies of libphp4.so, one
which contains just the "config testing" code too, or what? Because
testing the config file involves *interpreting* the config file.
If the problem is to inhibit terminal access can't we just run it under
some "tee" like binary from the init script, so at least that works?
joe
More information about the test
mailing list