[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache as a system shell ( Debian Wheezy Compromised - www-data user is sending 1000 emails an hour)

Are we going to find ourselves talking around each other again, Jerry?

On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle <jstuckle@attglobal.net> wrote:
> On 12/31/2013 8:43 PM, Joel Rees wrote:
>>
>> On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
>> <raffaele.morelli@gmail.com> wrote:
>>>
>>> [...]
>>> I just want to add a (relevant) bit.
>>> Apache has tons of directives to secure a website and if you really need
>>> to
>>> upload in a dir you can tell apache to not execute php scripts in there
>>> or
>>> force file type to text or prevent POST request from untrusted ip, etc
>>> etc.... and you'are done.
>>
>>
>> It has occurred to me on several occasions that apache is essentially
>> another shell over the underlying OS calls -- like bash is a shell for
>> character/command-line-oriented terminal (sessions).
>>
>
> No, Apache is a web server.  It can load certain modules to provide
> additional services, e.g. PHP or Python.  But it is not a shell.

"Shell" has multiple meanings. Character-oriented command-line shell
is just one of them. (And I'm sure you know that.)

If you aren't willing to use the term in the more complete meaning,
please stay out of the conversation. (And don't bother digging up
"definitions" that would eliminate purpose-specific-shells over the
ABIs or APIs, or I'll reach across the Pacific, grab my 30 year old
copy of the XINU text and throw it at you. ;-)

>> It has also occurred to me on several occasions that it implements its
>> own security model, and provides an alternate path into the system
>> resources (file system, etc.) that sometimes circumvents the native
>> security model.
>>
>
> Yes, it has some security features built in.  But it cannot circumvent the
> native security model.  If an application could do that, the security model
> in Debian would be worthless.

Yes and no, and if you would bother yourself to think beyond whatever
wall stands between you and me, I think you would not have said that.

I mean, in the parent thread to this, you laid out quite well the
problems of application support files being owned by root -- the
problem of who gets/has to edit them. You can see the larger issues if
you will.

>> And I note that I prefer the native Unix basic security model not to
>> be circumvented.
>>
>
> It cannot be.

If that were true, why would Apache (or any other web server) ever
have security advisories?

>> I have other thoughts on the subject, but my wife says we have to go
>> do the family new-year's stuff. Be interested in comments.
>>
>
> Learn how security works.
>
> Jerry

That's not a comment I'm interested in.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.
Reply to: