On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV <Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote: > I think you would need to elaborate on that statement. Frankly I can see a few differences, but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid effectively changing the UID/GID of the process to something which is hopefully not privileged. > > Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server. No, if apache is started with normal user privileges, it can't do harm beyond the privileges of that user. By setting apache suid root, anyone on your system can obtain complete root access by using the -f flag to specify a config file. (I won't give specifics of what you need to put in the config file, but it is quite easy for anyone with some apache knowledge.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|