httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] USER directive in MPM_WINNT?
Date Tue, 04 Mar 2003 14:02:02 GMT
At 11:07 PM 3/3/2003, Veydajar wrote:
>The question is all in the subject. Why doesn't mpm_winnt have the USER
>directive (mpm_worker has it, for example), which lets the childs to serve
>requests as another, unpriviledged user, not as ROOT in Unix (and SYSTEM in
>Win XP/2000/NT)?

Because Win32 APIs require user and password.  There is no identical
behavior to setuid() on Win32, LogonUser() and friends all require a password.

>Will it ever be implemented?

Only if we could come up with a truly secure store for that password, so that
it would be immune from many vulnerabilities (not only Apache, consider all
the problems potentially with plain old file sharing.)

>Or are there workarounds to let me start the apache secondary thread as
>another (not SYSTEM) user?

Of course.  http://httpd.apache.org/docs-2.0/platform/windows.html describes
how to change the user that the service is run-as.

>Hmmm... Is this even necessary for Windows?

Oh, very strongly encouraged.  But then you need to take the time and lock
down your files that 'normal users' wouldn't have permission to touch (e.g.
c:\Windows, c:\program files, etc) and then open up permissions (e.g. those
programs who in 2003 still insist on writable program files folders, instead
of per-user files under the \windows\profiles or \documents and settings trees.)
Because most users don't go that extra step, Apache 'by default' makes no
assumptions.

You make a good point, a link to the 'run-as user' service documentation
would be good from the User directive entries in the documentation.

Bill



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message