httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Removing an suexec check
Date Fri, 10 May 2002 17:28:08 GMT

On Fri, 10 May 2002, Michael Carmack wrote:
> WRT my other reply, is this still a concern if apache is assigned a unique
> userid and has a password-less account? What if it was a no-login account?
> I've been trying to think of a real-world exploit under such a scenario
> but haven't come up with anything. Can you think of an example?

I already replied to this.

Think of it this way: if you are going to give the apache userid (through
suexec) enough privleges to compromise any user on the system, why don't
you just run apache as root?  Bad idea?  Yes.

> I looked at cgiwrap, but something about it turned me off (can't recall
> what it was at the moment).
>
> Running a separate httpd seems like a lot of overhead--There may be 100+
> vhosts on the box. Besides, wouldn't they all have to bind to a separate
> port? That seems messy.

I didn't say it would be easy.  The problem you are trying to solve is not
easy.

Joshua.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message