httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mladen Turk" <mt...@mappingsoft.com>
Subject RE: [PATCH] mpm/winnt service permissions
Date Wed, 10 Jul 2002 04:48:44 GMT
Just one thought :-)

I think that at least Administrator privileges are needed to start the
services. 
The ApacheMonitor will definitely need that once when async behavior
will be used, so that calls for starting services gets serialized with
LockServiceDatabase that needs Admin privileges.
So I'm for the GENERIC_READ/GENERIC_WRITE/GENERIC_EXECUTE generic access
types, and not for finding security holes. Neither AM nor Apache
shouldn't brake that allowing starting or stopping something that cannot
be done through Service Manager itself, and should report that as access
violation errors.
 
MT.

> -----Original Message-----
> From: David Shane Holden [mailto:dpejesh@yahoo.com] 
> Sent: Wednesday, July 10, 2002 2:28 AM
> To: dev@httpd.apache.org
> Subject: Re: [PATCH] mpm/winnt service permissions
> 
> 
> Correct me if I'm wrong, but it sounds like you think this is for 
> ApacheMonitor.  This is for the winnt mpm itself.
> I thought your patch this morning was for the mpm just as I 
> believe you 
> think this is for the monitor.
> 
> Shane
> 
> 
> William A. Rowe, Jr. wrote:
> 
> > At 01:40 PM 7/9/2002, you wrote:
> >
> >> This patch sets the calls to OpenSCManager and OpenService 
> to use the
> >> minimum required privileges.
> >
> >
> > Cool.  Could you cvs up to grab the latest version with Mladen's 
> > patch, compare your suggested changes to his latest changes for 
> > requested privileges, and provide an updated patch to discuss?
> >
> > Bill
> >

> >> -                                     SC_MANAGER_ALL_ACCESS);
> >> +                                     SC_MANAGER_CONNECT);
> >>          if (!schSCManager) {
> >>              rv = apr_get_os_error();
> >>              ap_log_error(APLOG_MARK, APLOG_ERR | 
> APLOG_STARTUP, rv,
> >> NULL,
> >> @@ -1265,7 +1262,7 @@
> >>          SC_HANDLE   schSCManager;
> >>
> >>          schSCManager = OpenSCManager(NULL, NULL, // 
> default machine
> >> & database
> >> -                                     SC_MANAGER_ALL_ACCESS);
> >> +                                     SC_MANAGER_CONNECT);
> >>
> >>          if (!schSCManager) {
> >>              ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP,
> >> apr_get_os_error(), NULL,
> >> @@ -1275,7 +1272,8 @@
> >>
> >>          /* ###: utf-ize */
> >>          schService = OpenService(schSCManager, mpm_service_name,
> >> -                                 SERVICE_ALL_ACCESS);
> >> +                                 SERVICE_INTERROGATE |
> >> SERVICE_QUERY_STATUS |
> >> +                                 SERVICE_START | SERVICE_STOP);
> >>
> >>          if (schService == NULL) {
> >>              /* Could not open the service */
> >
> >
> >
> 
> 
> 
> 


Mime
View raw message