Re: Apache ap_getpass vulnerability

[Peter Pentchev <roam () ORBITEL BG>]

On Mon, Jan 03, 2000 at 09:50:57PM +0100, Simon Tamas wrote:
> If you have an Apache module and your module uses configuration
> directives then configuration
> records are set up at your modules start up. At this point I thought it
> was possible to call
> ap_getpass() to fill a value in the configuration record (value of
> passphrase acoompanying
> the privatekey -- which is filled with ap_set_file_slot())
> However I also found difficulties getting user input at module start-up.
> Looks like my hook function is called twice, and at the second time
> there is no tty
> Any help on this would be appreciated.

You mean you're writing an Apache module that reads user input at
the time the server is starting?..  Does this mean that the server
startup itself becomes interactive?  This pretty much rules out
unattended Apache startup - you need to start the server manually
each time it dies; also, it cannot be put in the system's startup
scripts.  IMHO, this is not such a good idea :(

G'luck,
Peter

--
This would easier understand fewer had omitted.