Re: Advice Needed On Recent Rootings

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: Advice Needed On Recent Rootings
From: Adam Majer <adamm@galacticasoftware.com>
Date: Mon, 28 Jul 2003 13:19:18 -0500
Message-id: <[🔎] 20030728181918.GA20213@galacticasoftware.com>
In-reply-to: <20030603140209.GA14800@zionlth.org>
References: <20030525180430.GB32546@yagami.infodump.net> <20030525182528.GE3395@keimel.com> <20030528045821.GA7093@yagami.infodump.net> <20030602203821.GA18163@galacticasoftware.com> <20030603140209.GA14800@zionlth.org>

On Tue, Jun 03, 2003 at 10:02:09AM -0400, Phillip Hofmeister wrote:
> On Mon, 02 Jun 2003 at 03:38:21PM -0500, Adam Majer wrote:
> > With something like sendmail or apache, it only needs to see a very
> > limited part of the file system, so even braking these will not do
> > any real damage.
> 
> Don't get too over confident about chrooting Apache.  One Apache process
> runs as root.  This means if there is an exploit that sends arbitrary
> code across the shared scoreboard it could be ran as root and break out
> of the jail.

First, sorry for my very late reply :) I'm just reading the
messages here now...

Anyway, I wasn't talking about chroot. I was talking about 
grsecurity and ACLs (I think). Then you specify what each 
process is allowed to do and see (even root cannot get passed that).

You can make Apache see only the directories that you want it
to see. You can also specify that Apache cannot initiate a connection
(except to trusted nameserver for instance) and it can only listen on port 80.
With other features of grsecurity like stack randomization, Apache
becomes pretty much explot-proof...

- Adam

Reply to:

Prev by Date: Re: Kernel 2.4.21 Forwarding table vulnerability
Next by Date: Re: Kernel 2.4.21 Forwarding table vulnerability
Previous by thread: Re: Woody security updates report.
Next by thread: Re: Advice Needed On Recent Rootings
Index(es):
- Date
- Thread