[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exploring debian's users and groups

On Mon, Jan 01, 1990 at 02:25:28PM +0100, Manfred Wassmann wrote:
> On Wed, 8 Aug 2001, Radovan Garabik wrote:
> > were you able to make it work with apache? It did not work for me
> That reminds me of a german proverb: "Warum einfach, wenn es umständlich
> auch geht."

weil einfach ungenuegend kann sein
(sorry for my bad german)

> I simply put "User www-data\nGroup www-data" into httpd.conf, then apache
> will start as root, open the logfiles and port 80, then set uid and gid

> accordinly and start the processes which serve the client requests.
> No problem with port 80 or logfiles owned by root while apache runs as 
> a nonprivileged user.

ps aux|grep apache|grep root

1) there is still one root process hanging around
2) apache starts as root
   you never know when a bug appears

I agree that the probability of exploiting is greatly reduced
by apache seuid/gid-ing, but I remember not so long
ago a bug in dictd server (which was starting as root, then
immediatly setuid/gid-ing to nobody/nogroup, then binding
port 2628). Reason for starting as root? "why not, it makes
things simpler, and since it setuids right away nothing can happen"
Yet, it was discovered that under certain circumstances, 
setuid-ing was not working properly and dictd retained root
privileges. Yuck.

I can sleep more comfortably if the number of root processes
is reduced by one.

| Radovan Garabik http://melkor.dnp.fmph.uniba.sk/~garabik/ |
| __..--^^^--..__    garabik @ melkor.dnp.fmph.uniba.sk     |
Antivirus alert: file .signature infected by signature virus.
Hi! I'm a signature virus! Copy me into your signature file to help me spread!

Reply to: