On 12/31/2013 8:43 PM, Joel Rees wrote:
On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli <raffaele.morelli@gmail.com> wrote:[...] I just want to add a (relevant) bit. Apache has tons of directives to secure a website and if you really need to upload in a dir you can tell apache to not execute php scripts in there or force file type to text or prevent POST request from untrusted ip, etc etc.... and you'are done.It has occurred to me on several occasions that apache is essentially another shell over the underlying OS calls -- like bash is a shell for character/command-line-oriented terminal (sessions).
No, Apache is a web server. It can load certain modules to provide additional services, e.g. PHP or Python. But it is not a shell.
It has also occurred to me on several occasions that it implements its own security model, and provides an alternate path into the system resources (file system, etc.) that sometimes circumvents the native security model.
Yes, it has some security features built in. But it cannot circumvent the native security model. If an application could do that, the security model in Debian would be worthless.
And I note that I prefer the native Unix basic security model not to be circumvented.
It cannot be.
I have other thoughts on the subject, but my wife says we have to go do the family new-year's stuff. Be interested in comments.
Learn how security works. Jerry