httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Using the PUT method with Apache
Date Tue, 25 Feb 1997 23:59:38 GMT
On Tue, 25 Feb 1997, Jason S. Clary wrote:

> Guess someone best squash all the buffer overflow problems.. ;P

Someone better.  Anyone should please feel free to do a code review of the
server for security problems.  I plan on doing another in a number of
months; the first time through there were just so many things to fix that
I would very suprised if I didn't miss a couple of obvious ones, in
addition to all the hidden ones.

> 
> Is anyone worried about ftp servers being run as root?

Yup.  Unfortunately, there are a few reasons why it is a problem to have
them any other way; those include issuing the user command after being
logged in and binding to ports for the data connection.

I think Apache is a larger code base and is far more likely to have poorly
coded extensions added.  There are certain things it would be very nice to
be able to do which would require keeping a real or saved uid as root, but
I can't convince myself it is a good thing to do.

> 
> ---
> Jason S. Clary <jclary@futurefx.com>
> http://www.futurefx.com/~jclary/
> ---
> 
> ----------
> > From: Marc Slemko <marcs@valis.worldgate.com>
> > To: new-httpd@hyperreal.com
> > Subject: Re: Using the PUT method with Apache
> > Date: Tuesday, February 25, 1997 8:43 AM
> > 
> > No good.  Problem is that when someone exploits something like a buffer
> > overflow in the webserver all it takes a a trivial bit more code to get
> > rid of any such restrictions and you have root.  The child process still
> > needs root privs to do this; changing the euid only shuffles the problem
> > around a bit. 
> > 
> > On Tue, 25 Feb 1997, Jason S. Clary wrote:
> > 
> > > Switching effective only might work, and then forking and setting real
> for
> > > CGI runs so the main httpd process runs as root, the children run as
> > > effective
> > > for whatever web they are accessing, and CGI's run real for whatever web
> they
> > > are running from.
> > > 
> > > It would take a VERY keen eye for security to implament this and a lot of
> > > time and testing.
> > > 
> > > > Two of the projects I am thinking about when I have time are a
> reasonably
> > > > secure PUT handler (external setuid binary, gets user password on stdin
> > > > and verifies it itself) with an idea of trying to get it into the base
> > > > distribution (would need hooks in the source...) and doing a web based
> > > > configuration interface; probably a seperate admin server process like
> > > > most do it, let the user start it by just typing "httpd -config" and
> > > > loading their web browser.
> > > > 
> > > > Both involve doing root-only things that have to be done securely.  Not
> > > > sure I will ever get to any of these, but...
> > > 
> 


Mime
View raw message