httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Thu, 04 Sep 2008 17:33:20 GMT
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
> ...
>> They've also suggested that their conf files be owned by root, and only
>> readable by the apache user, which you also disagree with.
> ...
> 
> Nobody has come up with a good argument for this, or a refutation of my
> argument against it.

The refutation is that in order to bind to port 80, have access to keys,
etc, httpd must start as root.  If the conf files are owned by an "wwwadmin"
role user, that's fine, it's one degree removed from root.  But if they
are owned by the user which httpd process runs-as (after User directives),
then the system can be exploited;

whomever configures httpd.conf ultimate is running code as-root initially.
Perhaps you have modperl configuration, or exploit an overrun of config
syntax parsing.  Whatever, your conf is run as root, so it is no less secure
to demand these files are edited by root.

>> Your security advice, from what I've seen, is at best misinformed, and
>> at worst it is negligent. I urge anyone reading this thread to check
>> some reputable sources before implementing any of Joseph's suggestions.
> 
> I urge anyone reading this thread to actually read it.

Please stop pushing an ill advised agenda until you thoroughly understand
httpd security.  Tom Evans post was the most succinct summary presented
yet, and I find no fault in it.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message