Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Message-ID: <022701c1c6fd$db5411f0$880aa8c0@lancetest.com>
From: "Lance Uyehara" <lance@verniernetworks.com>
To: <users@httpd.apache.org>
References: <sc88fa28.041@snoopy.ci.stpaul.mn.us>
Subject: Re: running apache as a root
Date: Fri, 8 Mar 2002 16:03:35 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Some SUID documentation from the mod_perl world. I don't think it's really
mod_perl specific though.

http://thingy.kcilink.com/modperlguide/control/SUID_Start_up_Scripts.html

-Lance


> unfortunately, suid only works on compiled programs (another safety
> issue).  Scripts won't work.
>
> C wrappers are fairly simple - take a look at the execv function's man
> page.
>
> >>> amitjkhatri@hotmail.com 03/08/02 16:04 PM >>>
>
> I tried the chown command on my script named "first.pl"
>
> now the " ls -l first.pl " shows this:
>
> " -rwsrwsrwx . . . .  "
>
> it is not executable. i.e it is not running on the browser.
>
> "perl first.pl"  shows
>
> Setuid/gid script is writable by world.
>
>   --------------------------------------------------------------
> What i want is to run " ipchains -n -L" command , (sent through the
> browser)to run on the server.
>
>
>
>
>
> >From: "Pete Nelson" <pete.nelson@ci.stpaul.mn.us>
> >Reply-To: users@httpd.apache.org
> >To: <users@httpd.apache.org>
> >Subject: Re: running apache as a root
> >Date: Fri, 08 Mar 2002 15:21:44 -0600
> >
> >You've run into a safety feature of Apache - it generally won't let you
> >run as root.  The only way can get around this is by building Apache
> >from the source code.  If you download the source from Apache, you
> >should find a line in src/Configuration like:
> >
> >EXTRA_CFLAGS=
> >
> >Just change this to 'EXTRA_CFLAGS=-DBIG_SECURITY_HOLE', rebuild, and be
> >prepared to suffer the consequences.
> >
> >Generally, having the server run as root opens up ALL KINDS of possible
> >security holes, not only through apache, but also through any CGI
> >programs, any modules like PHP, etc.  There's a good reason someone at
> >Apache wrote the code to prevent it from running as root - think VERY
> >carefully before you try to side-step this.
> >
> >Maybe a better option would be to suid the program that you need the
> >server to run (think long and hard on the consequences of THAT!).  As
> an
> >example, I needed the ability to gracefully retart the server from a
> >web application (a seperately running server process).  I created a C
> >wrapper that would test the config file, and if good, would do a
> >graceful restart (no other options!). Then as root:
> >
> >chown root.root apache_restart
> >chmod a+s apache_restart
> >
> >So now anyone can run this script, and it will run as user root.  But
> >it doesn't open up the kind of holes you'd have if the server was
> >running as root.
> >
> >--
> >Pete Nelson, Web Developer
> ><pete.nelson@ci.stpaul.mn.us>
> >http://www.ci.stpaul.mn.us/
> >
> > >>> amitjkhatri@hotmail.com 03/08/02 03:06PM >>>
> >
> >
> >I have to run apache server as a root, so that it can run some
> >
> >commands , which only root can run. ( ipchains, add route....)
> >
> >I tried adding following line in apache.conf file :
> >
> >user root
> >group apache
> >
> >but the msg was :-
> >
> >    Apache is not designed to to serve pages while running as root.
> >    if you still want to serve the pages as root then
> >    add -DBIG_SECURITY_HOLE to your EXTRA_CFLAGS line in your
> >    src/Configuration file and rebuild the server.
> >
> >-------------------------------------------------------------
> >
> >I could not understand what it means ,
> >Is there any other simple method.
> >
> >cheers
> >
> >Amit Khatri
> >
> >_________________________________________________________________
> >Join the world's largest e-mail service with MSN Hotmail.
> >http://www.hotmail.com
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server
> >Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server
> Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apahe.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
>
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org