httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: running server as root (Was: Re: PUT method)
Date Sat, 12 Jul 1997 20:17:20 GMT
On Sat, 12 Jul 1997, Ingo Lütkebohle wrote:

> Marc Slemko wrote:
> > If you have a real uid of root, then if someone finds something like a
> > buffer overflow in the code that is exploitable they can get root.  Sure,
> > takes another couple of syscalls but no big deal.  That is not good.
> 
> Isn't that the case for almost every other server you care to mention?

It is the case of many servers.  How many security holes has wu-ftpd has
that let you get root?  How many secuirty holes has sendmail had that let
you get root?  How many security holes has Apache had that let you get
root?

The answer to the first two is lots, the last one is darn few, if any,
provided you have it configured correctly, even though correctly was not
always documented.  Note the first two run with a real uid of root some or
most of the time, the latter doesn't.

If Apache 1.1 ran with a ruid of root and just switched euids, it would
have almost certainly let someone get root through various bugs.

> What about switching to an EUID of nobody early in the request
> processing stage?

Does no good.  

There certainly are _lots_ of cool features that would be nice to do if
Apache could switch euid at will.  I am not yet convinced the security
risks are worth it.

I have gone through the source.  I have patched many security holes.  I am
not convinced it is safe.


Mime
View raw message