Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Check changes made to Apache's config file' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Check changes made to Apache's config file
Authored by: koncept on Oct 07, '05 07:45:24AM

I really hope I am not alone on this issue, but I just have to say that in the past, this issue has really frosted me. So much so, that I don't use the default Apache server any longer and decided to build my own where Apple can't touch it.

It REALLY bugs me when Apple does these updates and don't feel the need to warn that the httpd.conf has been replaced and/or modified. I say this because as mentioned before, many people customize this file to activate PHP and what not, so the results of these patches can bring about some rather problematic security issues. For example, along comes a patch that changes the "Rendezvous" module to "Bonjour", and now your PHP source code being served to your visitors as plain text! Way to go Apple.



[ Reply to This | # ]
10.4: Check changes made to Apache's config file
Authored by: hagbard on Oct 07, '05 12:36:13PM

I've seen this in a panther update. That's almost a criminal offence ! I mean there could have been mysql passwords etc inside those .php that were served as source code !



[ Reply to This | # ]
10.4: Check changes made to Apache's config file
Authored by: TvE on Oct 08, '05 02:13:55AM

If one cares about security then one would be expected to do at least one of the following:

- read the "list of files" the installer will install
- read about bugs (or none) on eg macfixit forums befor installing an update
- check on a testing server
- run a server as opposed to a client


Specifically regarding the changes in httpd.conf - I am fairly positive that this issue (replacing the file on upgrade) have been around since 10.0.0 so I guess it is common knowledge as well as well documented (on non-Apple sites) for a lot of OS X users



[ Reply to This | # ]
10.4: Check changes made to Apache's config file
Authored by: Chiwo on Oct 09, '05 05:09:49AM
FWIW, I launch my own Apache like this:
/usr/sbin/httpd -f $HOME/etc/httpd/httpd.conf


[ Reply to This | # ]
10.4: Check changes made to Apache's config file
Authored by: koncept on Oct 11, '05 04:58:10AM

Great workaround. Thanks.



[ Reply to This | # ]