marc 97/12/22 13:25:11
Modified: htdocs/manual/mod core.html Log: Misc cleanups: - cleanup HTML, <e> --> <em> - remove bogus security warning about LockFile - add warning about possible denial of service attack with LockFile in world writable directory - remove security encouragement to use inetd; add warning that inetd isn't well supported. Revision Changes Path 1.88 +11 -10 apachen/htdocs/manual/mod/core.html Index: core.html =================================================================== RCS file: /export/home/cvs/apachen/htdocs/manual/mod/core.html,v retrieving revision 1.87 retrieving revision 1.88 diff -u -r1.87 -r1.88 --- core.html 1997/12/14 01:04:56 1.87 +++ core.html 1997/12/22 21:25:10 1.88 @@ -371,7 +371,7 @@ <Directory ~ "^/www/.*/[0-9]{3}"> </pre> -would match directories in /www/ that consisted of three numbers.</p> +would match directories in /www/ that consisted of three numbers. <p>If multiple (non-regular expression) directory sections match the directory (or its parents) containing @@ -1029,8 +1029,11 @@ must be stored on a local disk</b>. The PID of the main server process is automatically appended to the filename. <p> -The LockFile is subject to the same warnings about log file placement and -<a href="../misc/security_tips.html#serverroot">security</a>. +<STRONG>SECURITY:</STRONG> It is best to avoid putting this file in a +world writable directory such as <CODE>/var/tmp</CODE> because someone +could create a denial of service attack and prevent the server from +starting by creating a lockfile with the same name as the one the +server will try to create.<p> <P><HR> @@ -1369,7 +1372,7 @@ <H2><A name="rlimit">RLimitCPU</A> <A NAME="rlimitcpu">directive</A></H2> <!--%plaintext <?INDEX {\tt RLimitCPU} directive> --> <strong>Syntax:</strong> RLimitCPU <em># or 'max'</em> <em>[# or 'max']</em><br> -<strong>Default:</strong> <e>Unset; uses operating system defaults</e><br> +<strong>Default:</strong> <em>Unset; uses operating system defaults</em><br> <strong>Context:</strong> server config, virtual host<br> <strong>Status:</strong> core<br> <strong>Compatibility:</strong> RLimitCPU is only available in Apache 1.2 and later<p> @@ -1388,7 +1391,7 @@ <h2><A name="rlimitmem">RLimitMEM directive</A></h2> <!--%plaintext <?INDEX {\tt RLimitMEM} directive> --> <strong>Syntax:</strong> RLimitMEM <em># or 'max'</em> <em>[# or 'max']</em><br> -<strong>Default:</strong> <e>Unset; uses operating system defaults</e><br> +<strong>Default:</strong> <em>Unset; uses operating system defaults</em><br> <strong>Context:</strong> server config, virtual host<br> <strong>Status:</strong> core<br> <strong>Compatibility:</strong> RLimitMEM is only available in Apache 1.2 and later<p> @@ -1407,7 +1410,7 @@ <h2><A name="rlimitnproc">RLimitNPROC directive</A></h2> <!--%plaintext <?INDEX {\tt RLimitNPROC} directive> --> <strong>Syntax:</strong> RLimitNPROC <em># or 'max'</em> <em>[# or 'max']</em><br> -<strong>Default:</strong> <e>Unset; uses operating system defaults</e><br> +<strong>Default:</strong> <em>Unset; uses operating system defaults</em><br> <strong>Context:</strong> server config, virtual host<br> <strong>Status:</strong> core<br> <strong>Compatibility:</strong> RLimitNPROC is only available in Apache 1.2 and later<p> @@ -1605,16 +1608,14 @@ connection received, a new copy of the server is started from scratch; after the connection is complete, this program exits. There is a high price to pay per connection, but for security reasons, some admins prefer this option. +<FONT COLOR="red">Inetd mode is no longer recommended and does not always +work properly. Avoid it if at all possible.</FONT> <p> Standalone is the most common setting for ServerType since it is far more efficient. The server is started once, and services all subsequent connections. If you intend running Apache to serve a busy site, standalone will probably be your only option.<p> - -SECURITY: if you are paranoid about security, run in inetd mode. Security -cannot be guaranteed in either, but whilst most people are happy to use -standalone, inetd is probably least prone to attack.<p><hr> <h2><A name="startservers">StartServers directive</A></h2> <!--%plaintext <?INDEX {\tt StartServers} directive> -->