www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris...@reg.x.camelot.de>
Subject Re: general/985: suggestion: check permissions via os-userbase
Date Mon, 11 Aug 1997 17:47:16 GMT
hi!

> Synopsis: suggestion: check permissions via os-userbase

> It is far more complicated than you make out to do so.

i hope you're wrong... :)

> You then need to trust your web server with root and
> Apache would have to run as root.  That isn't acceptable.

it's absolutely no doubt that the httpd shouldn't run as root, but
the httpd just had to start an instance of itself with the uid and
password given by the user - no need to run as root. this works with
a shell with uid != 0 -> call of su -> shell with uid == 0  -  so why
shouldn't that work for apache as well? :)

and just imagine, all this expensive access-checking could be avoided, if
the file can be read by this apache-process, it is transmitted, if not,
the client side gets a uid/pwd prompt. that's all. :)

> You also run into difficult issues with the (lack of) decent
> security in web-based authentication.

i know about web and (no real) security, but i see this in the hands of
the admin and the users. i'd never log in with an important account to an
important system via http (or at the moment any other protocol than ssh),
but where's the difference whether uid+cryptpw is in the passwd or in a
special users-file for apache? it's just superfluous, if i want a user
'database' for people who deal with the database, why have two such users,
one in passwd and one in the apache users-file? it's just unnecessary
extra work... (and that can then indeed become a security-issue)

(btw there are several possiblities to make http-connects quite secure...
or do you beleive you can crack an idea-stream? :)

> We do have suexec, to let CGI scripts be run as users,
> but it works slightly differently and is implemented by
> an external wrapper that changes the uid.

so sorry - but suexec is bullshit (really sorry). not the external wrapper
thing, as i mentioned before i'm quite confident that it's truly a dumb
idea to let the httpd run as root, but it still doesn't work just nearly
as transparent as if you'd use os-permissions.

e.g. my database knows which users/groups are allowed to read and who is
allowed to write. so the easiest and most transparent way to deal with
this permission-problem is to start the cgi-script that executes the
database-queries with a uid that the user specifies.
this is not possible with suexec... :(

oh, btw, IIS and as i've heard CERN both support this feature... but i
like apache quite much and i really dislike the idea to go back to CERN
again...

> Thanks for the suggestion.

i hope i'm not already getting on your nerves... :)
but, btw, there's another way to implement this...
provided all documents have permissions properly set so apache (running
with the normal uid/gid) can access them, apache could simply check the
uid+pwd provided by the user and check by itself whether the user has the
correct permissions to read the document or to execute the cgi-binary.
(e.g. if apache simply ignored the 'other' permissions, all documents or
cgi-binaries could be o+r or o+x and apache could use user+group for its
own permission-checking. world-readable documents simply could be set to
the apache-user and apache-group).
but to be frank - i don't like this solution half as much as the one
suggested above... :)

cu
	Chris


Mime
View raw message