httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 14:13:44 GMT
On Nov 8, 2007 2:55 PM, Joshua Slive <joshua@slive.ca> wrote:
> On Nov 8, 2007 7:11 AM, Axel-Stephane  SMORGRAV
> <Axel-Stephane.SMORGRAV@europe.adp.com> wrote:
> > I think you would need to elaborate on that statement. Frankly I can see a few differences,
but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid
effectively changing the UID/GID of the process to something which is hopefully not privileged.
> >
> > Whether Apache is started with sudo or is suid root, anyone able start an Apache
instance with the configuration of his/her choice can do bad things on the server.
>
> No, if apache is started with normal user privileges, it can't do harm
> beyond the privileges of that user. By setting apache suid root,
> anyone on your system can obtain complete root access by using the -f
> flag to specify a config file. (I won't give specifics of what you
> need to put in the config file, but it is quite easy for anyone with
> some apache knowledge.)

You could use a wrapper script (as I do) that the user can't change.

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message