On Nov 8, 2007 2:55 PM, Joshua Slive <joshua@xxxxxxxx> wrote: > On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV > <Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote: > > I think you would need to elaborate on that statement. Frankly I can see a few differences, but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid effectively changing the UID/GID of the process to something which is hopefully not privileged. > > > > Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server. > > No, if apache is started with normal user privileges, it can't do harm > beyond the privileges of that user. By setting apache suid root, > anyone on your system can obtain complete root access by using the -f > flag to specify a config file. (I won't give specifics of what you > need to put in the config file, but it is quite easy for anyone with > some apache knowledge.) You could use a wrapper script (as I do) that the user can't change. Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|