Re: apache as non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Nov 8, 2007 7:11 AM, Axel-Stephane  SMORGRAV
<Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote:
> I think you would need to elaborate on that statement. Frankly I can see a few differences, but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid effectively changing the UID/GID of the process to something which is hopefully not privileged.
>
> Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server.

No, if apache is started with normal user privileges, it can't do harm
beyond the privileges of that user. By setting apache suid root,
anyone on your system can obtain complete root access by using the -f
flag to specify a config file. (I won't give specifics of what you
need to put in the config file, but it is quite easy for anyone with
some apache knowledge.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux