Re: an actual hacked machine, in a preserved state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



>>>  1.) Attacker uses apache remote exploit (or other means) to obtain

>>>   your /etc/shadow file (not a remote shell, just GET the file
>>>  without that fact being logged);
>> 
>>  I don't mean to thread-hijack, but I'm curious, if apache runs as 
>> its
>>  own non-root user and /etc/shadow is root-owned and 0400, then
>>  how could any exploit of software not running as root ever have
>>  access to that file??
> 
> Apache starts as root so it can open port 80.  Certain bugs might
> happen before it switched to a non-privileged user.  But, a more
> likely scenario would be to get the ability to run some arbitrary
> command through an apache, app, or library vulnerability, and that
> command would use a different kernel, library, or suid program
> vulnerability to get root access.  Look back through the update
> release notes and you'll find an assortment of suitable bugs that have
> been there...

That makes sense - but that scenario seems like the vulnerability is more
in some third party application or tool that happens to be executable by
apache.  Seems like the best defense against that is not running things
like WordPress  ;-p  :-)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux