httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "amit khatri" <amitjkha...@hotmail.com>
Subject Re: running apache as a root
Date Fri, 08 Mar 2002 22:04:07 GMT

I tried the chown command on my script named "first.pl"

now the " ls -l first.pl " shows this:

" -rwsrwsrwx . . . .  "

it is not executable. i.e it is not running on the browser.

"perl first.pl"  shows

Setuid/gid script is writable by world.

  --------------------------------------------------------------
What i want is to run " ipchains -n -L" command , (sent through the 
browser)to run on the server.





>From: "Pete Nelson" <pete.nelson@ci.stpaul.mn.us>
>Reply-To: users@httpd.apache.org
>To: <users@httpd.apache.org>
>Subject: Re: running apache as a root
>Date: Fri, 08 Mar 2002 15:21:44 -0600
>
>You've run into a safety feature of Apache - it generally won't let you
>run as root.  The only way can get around this is by building Apache
>from the source code.  If you download the source from Apache, you
>should find a line in src/Configuration like:
>
>EXTRA_CFLAGS=
>
>Just change this to 'EXTRA_CFLAGS=-DBIG_SECURITY_HOLE', rebuild, and be
>prepared to suffer the consequences.
>
>Generally, having the server run as root opens up ALL KINDS of possible
>security holes, not only through apache, but also through any CGI
>programs, any modules like PHP, etc.  There's a good reason someone at
>Apache wrote the code to prevent it from running as root - think VERY
>carefully before you try to side-step this.
>
>Maybe a better option would be to suid the program that you need the
>server to run (think long and hard on the consequences of THAT!).  As an
>example, I needed the ability to gracefully restart the server from a
>web application (a seperately running server process).  I created a C
>wrapper that would test the config file, and if good, would do a
>graceful restart (no other options!). Then as root:
>
>chown root.root apache_restart
>chmod a+s apache_restart
>
>So now anyone can run this script, and it will run as user root.  But
>it doesn't open up the kind of holes you'd have if the server was
>running as root.
>
>--
>Pete Nelson, Web Developer
><pete.nelson@ci.stpaul.mn.us>
>http://www.ci.stpaul.mn.us/
>
> >>> amitjkhatri@hotmail.com 03/08/02 03:06PM >>>
>
>
>I have to run apache server as a root, so that it can run some
>
>commands , which only root can run. ( ipchains, add route....)
>
>I tried adding following line in apache.conf file :
>
>user root
>group apache
>
>but the msg was :-
>
>    Apache is not designed to to serve pages while running as root.
>    if you still want to serve the pages as root then
>    add -DBIG_SECURITY_HOLE to your EXTRA_CFLAGS line in your
>    src/Configuration file and rebuild the server.
>
>-------------------------------------------------------------
>
>I could not understand what it means ,
>Is there any other simple method.
>
>cheers
>
>Amit Khatri
>
>_________________________________________________________________
>Join the world's largest e-mail service with MSN Hotmail.
>http://www.hotmail.com
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message