On Nov 8, 2007 9:12 AM, Axel-Stephane SMORGRAV <Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote: > -----Message d'origine----- > >De : jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx] De la part de Joshua Slive > >Envoyé : jeudi 8 novembre 2007 14:56 > >À : users@xxxxxxxxxxxxxxxx > >Objet : Re: apache as non-root > > > >On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV <Axel-Stephane.SMORGRAV@xxxxxxxxxxxxxx> wrote: > >> Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server. > > > >No, if apache is started with normal user privileges, it can't do harm beyond the privileges of that user. By setting apache suid root, anyone on your system can obtain complete root access by using the -f flag to specify a config file. (I won't give specifics of what you need to put in the config file, but it is quite easy for anyone with some apache knowledge.) > > > Well, Joshua, that was basically what I was trying to say. If Apache is started with root privileges (whether sudo or setuid) with a carefully crafted configuration, bad things can happen. > > So the question is rather whether you can entrust some or all legitimate non-root users of the host with the ability to start Apache with root privileges so it can bind to reserved ports, and in that case how you choose to do so. > Ok. I misread your message. What people should remember is that anyone who can control the main apache config files can gain the privileges of the user who starts apache. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|