httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] apache as non-root
Date Thu, 08 Nov 2007 14:39:40 GMT
On Nov 8, 2007 9:12 AM, Axel-Stephane  SMORGRAV
<Axel-Stephane.SMORGRAV@europe.adp.com> wrote:
> -----Message d'origine-----
> >De : jslive@gmail.com [mailto:jslive@gmail.com] De la part de Joshua Slive
> >Envoyé : jeudi 8 novembre 2007 14:56
> >À : users@httpd.apache.org
> >Objet : Re: [users@httpd] apache as non-root
> >
> >On Nov 8, 2007 7:11 AM, Axel-Stephane  SMORGRAV <Axel-Stephane.SMORGRAV@europe.adp.com>
wrote:
> >> Whether Apache is started with sudo or is suid root, anyone able start an Apache
instance with the configuration of his/her choice can do bad things on the server.
> >
> >No, if apache is started with normal user privileges, it can't do harm beyond the
privileges of that user. By setting apache suid root, anyone on your system can obtain complete
root access by using the -f flag to specify a config file. (I won't give specifics of what
you need to put in the config file, but it is quite easy for anyone with some apache knowledge.)
>
>
> Well, Joshua, that was basically what I was trying to say. If Apache is started with
root privileges (whether sudo or setuid) with a carefully crafted configuration, bad things
can happen.
>
> So the question is rather whether you can entrust some or all legitimate non-root users
of the host with the ability to start Apache with root privileges so it can bind to reserved
ports, and in that case how you choose to do so.
>

Ok. I misread your message. What people should remember is that anyone
who can control the main apache config files can gain the privileges
of the user who starts apache.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message