httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Wojtowicz <wojto...@tcs-sec.com>
Subject apache Auth password files
Date Thu, 20 Jan 2000 17:00:20 GMT
I'm curious about Apache security in regards to it's Auth password
files, and I'm looking for some comments.

Does apache on Unix provide any DAC (file permission) protection, 
to its Auth password files?

>From my understanding of Apache, it's auth password files must
be readable by the user or group that the "listener" processes run 
as, which is defined by the User and Group directives.   

This comes as a result of the fact that these Auth password 
files are opened on a per request basis, by the listener processes.
This is unlike the log files which are opened by the "listen-spawner"
process which runs as root and whose file descriptors
are passed via fork() to the listener processes.  (NOTE: 
opening the password files initially as root, and passing descriptors,
along to the child processes may be as bad or worse as a 
security model).

This doesn't quite match the Unix /etc/shadow model, in which 
only a privileged process (one running as root) can read the 
/etc/shadow file which contains encrypted passwords.

The current model seems to rely on CGI's being programmed correctly,
and lack of buffer overflows in Apache (impossible with it's pool 
mechanism???) to prevent the Auth password files from being
grabbed by a malicious web request.

Anyway, I was just looking for some comment on this particular 
security aspect of Apache's design.

Thanks,

John 
--
John Wojtowicz, Secure Systems Engr.  ph:    (703) 318-7134
Trusted Computer Solutions, Inc.      fax:   (703) 318-5041
13873 Park Center Rd. Suite 225       email: jwojtowicz@tcs-sec.com
Herndon, VA  20171                    http://www.tcs-sec.com/


Mime
View raw message