httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Axel-Stephane SMORGRAV" <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 14:12:17 GMT
-----Message d'origine-----
>De : jslive@gmail.com [mailto:jslive@gmail.com] De la part de Joshua Slive
>Envoyé : jeudi 8 novembre 2007 14:56
>À : users@httpd.apache.org
>Objet : Re: [users@httpd] apache as non-root
>
>On Nov 8, 2007 7:11 AM, Axel-Stephane  SMORGRAV <Axel-Stephane.SMORGRAV@europe.adp.com>
wrote:
>> Whether Apache is started with sudo or is suid root, anyone able start an Apache
instance with the configuration of his/her choice can do bad things on the server.
>
>No, if apache is started with normal user privileges, it can't do harm beyond the privileges
of that user. By setting apache suid root, anyone on your system can obtain complete root
access by using the -f flag to specify a config file. (I won't give specifics of what you
need to put in the config file, but it is quite easy for anyone with some apache knowledge.)


Well, Joshua, that was basically what I was trying to say. If Apache is started with root
privileges (whether sudo or setuid) with a carefully crafted configuration, bad things can
happen.

So the question is rather whether you can entrust some or all legitimate non-root users of
the host with the ability to start Apache with root privileges so it can bind to reserved
ports, and in that case how you choose to do so.

-ascs

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message