No good. Problem is that when someone exploits something like a buffer
overflow in the webserver all it takes a a trivial bit more code to get
rid of any such restrictions and you have root. The child process still
needs root privs to do this; changing the euid only shuffles the problem
around a bit.
On Tue, 25 Feb 1997, Jason S. Clary wrote:
> Switching effective only might work, and then forking and setting real for
> CGI runs so the main httpd process runs as root, the children run as
> effective
> for whatever web they are accessing, and CGI's run real for whatever web they
> are running from.
>
> It would take a VERY keen eye for security to implament this and a lot of
> time and testing.
>
> > Two of the projects I am thinking about when I have time are a reasonably
> > secure PUT handler (external setuid binary, gets user password on stdin
> > and verifies it itself) with an idea of trying to get it into the base
> > distribution (would need hooks in the source...) and doing a web based
> > configuration interface; probably a seperate admin server process like
> > most do it, let the user start it by just typing "httpd -config" and
> > loading their web browser.
> >
> > Both involve doing root-only things that have to be done securely. Not
> > sure I will ever get to any of these, but...
>
|