httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Campbell <>
Subject Re: Possible security enhancement to apache server
Date Tue, 26 Jun 2001 03:20:32 GMT

Like I said, the apache config files need to be writable by the control-centre
so they'd have to be writeable by the uid under which the control-centre runs.

Then I guess that apache could be launched from sudo and then change down to a different
uid that could read the config files as well.  Sounds ok.

But given that the control-centre is having to invoke sudo under programmatic control,
sudo would have to be configured with no password, because it I presume that it requires
passwords to be read from a tty, and even if it were to use a password, it must be stored

Then, that means that the uid under which the control-centre runs has write access to the
apache config files and the ability to launch apache as root using sudo, which means that
they could alter the apache config to do something it shouldn't, and start up apache as root,
and there you go, they can easily get a root shell.

-- Dave

Ian Holsman wrote:

> Hi David,
> why not have the config files owned by another user/group (eg webops)
> and have a some scripts runnable by sudo? (start/restart/stop)
> that should provide the level of control you need.
> > This opens up a can of worms with respect to security.  Many people
> > do this anyway.
> >
> > I would like to propose a configurable option to Apache's bind process
> > that does something along the following lines.  The idea is this:  allow non-root
> > user processes to bind to low ports, but do it in a well-defined and fully
> > controllable way.  How?  Read on.
> >
> > The technique is as follows:  instead of calling bind() directly from
> > Apache, optionally (given configuraiton options) invoke a function
> > delegate_bind() which has the same parameters as bind(), which if
> > binding to low ports, internally does a fork() and execs a setuid
> > root program that inherits the socket from its parent process and
> > does the bind of the socket to a low port.  Because the socket in
> > the child process is the same as the socket in the parent process,
> > the bind done in the child process does bind the socket in the
> > parent process.  The child process then exits returning status etc.
> > This setuid program can check a configuration file in /etc to see
> > whether the invoking user is allowed to do the bind to the particular
> > port, and deny them if not allowed.
> >
> > I have a working implementation of the above (not integrated into
> > apache) at:
> >   (3k)
> >
> > I'm quite happy to try to integrate the above into Apache sources,
> > but would there be interest from the powers that be to include the
> > above into the apache distribution?
> >
> > Does anybody have any comments about the implications
> > of the above?
> >
> > Are there any complexities that I could possibly be not seeing?
> >
> > --
> > Regards,
> > -- Dave Campbell
> >    PHONE AUS  07 3216 6015
> >    PHONE INTL +61 7 3216 6015
> >

-- Dave Campbell
   PHONE AUS  07 3216 6015
   PHONE INTL +61 7 3216 6015

View raw message