httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: apache Auth password files
Date Thu, 20 Jan 2000 17:29:27 GMT
I typically place the password file in a directory that is not mapped to
the URL namespace. For example:

  /home/gstein/my_auth_file
  /home/gstein/public_html/.htaccess       ; this refers to my_auth_file

There is nothing you can do about CGI files grabbing them, unless you
happen to use suEXEC (and enable reading by the web process, but disallow
for all CGI users).

If security is an issue, then don't use password files. Personally, I use
mod_auth_mysql and put all the data into MySQL. Of course, then maybe
somebody would write a PHP script to snarf the data :-)

Note that in these various cases that the passwords are stored in an
encrypted form. Not that it helps in the long run, but it helps somewhat.

Also, the pool architecture does not prevent buffer overflows. You could
still alloc something within a pool and overwrite the bugger, causing
later messups (primarily, a DoS rather than a sophisticated attack). Of
course, Apache could still have fixed-size buffers somewhere that are
subject to overflows and therefore to complex attacks. (it doesn't have
fixed-size vars, but the pool architecture doesn't prevent it)

... that's about it for my brain so far.

Cheers,
-g

On Thu, 20 Jan 2000, John Wojtowicz wrote:

> I'm curious about Apache security in regards to it's Auth password
> files, and I'm looking for some comments.
> 
> Does apache on Unix provide any DAC (file permission) protection, 
> to its Auth password files?
> 
> >From my understanding of Apache, it's auth password files must
> be readable by the user or group that the "listener" processes run 
> as, which is defined by the User and Group directives.   
> 
> This comes as a result of the fact that these Auth password 
> files are opened on a per request basis, by the listener processes.
> This is unlike the log files which are opened by the "listen-spawner"
> process which runs as root and whose file descriptors
> are passed via fork() to the listener processes.  (NOTE: 
> opening the password files initially as root, and passing descriptors,
> along to the child processes may be as bad or worse as a 
> security model).
> 
> This doesn't quite match the Unix /etc/shadow model, in which 
> only a privileged process (one running as root) can read the 
> /etc/shadow file which contains encrypted passwords.
> 
> The current model seems to rely on CGI's being programmed correctly,
> and lack of buffer overflows in Apache (impossible with it's pool 
> mechanism???) to prevent the Auth password files from being
> grabbed by a malicious web request.
> 
> Anyway, I was just looking for some comment on this particular 
> security aspect of Apache's design.
> 
> Thanks,
> 
> John 
> --
> John Wojtowicz, Secure Systems Engr.  ph:    (703) 318-7134
> Trusted Computer Solutions, Inc.      fax:   (703) 318-5041
> 13873 Park Center Rd. Suite 225       email: jwojtowicz@tcs-sec.com
> Herndon, VA  20171                    http://www.tcs-sec.com/
> 

-- 
Greg Stein, http://www.lyra.org/


Mime
View raw message