[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache as a system shell ( Debian Wheezy Compromised - www-data user is sending 1000 emails an hour)

On 1/1/2014 2:52 AM, Joel Rees wrote:

Are we going to find ourselves talking around each other again, Jerry?



Only if you insist.


On Wed, Jan 1, 2014 at 11:51 AM, Jerry Stuckle <jstuckle@attglobal.net> wrote:

On 12/31/2013 8:43 PM, Joel Rees wrote:


On Wed, Jan 1, 2014 at 12:58 AM, Raffaele Morelli
<raffaele.morelli@gmail.com> wrote:


[...]
I just want to add a (relevant) bit.
Apache has tons of directives to secure a website and if you really need
to
upload in a dir you can tell apache to not execute php scripts in there
or
force file type to text or prevent POST request from untrusted ip, etc
etc.... and you'are done.



It has occurred to me on several occasions that apache is essentially
another shell over the underlying OS calls -- like bash is a shell for
character/command-line-oriented terminal (sessions).



No, Apache is a web server.  It can load certain modules to provide
additional services, e.g. PHP or Python.  But it is not a shell.


"Shell" has multiple meanings. Character-oriented command-line shell
is just one of them. (And I'm sure you know that.)
Yes, and "Web Server" is not one of those meanings. Apache is a web server. Nothing more, nothing less. It is not, and never has been, a shell.
Without additional modules, Apache can't even execute scripts. But the addition of scripting languages does NOT make it a shell. 


If you aren't willing to use the term in the more complete meaning,
please stay out of the conversation. (And don't bother digging up
"definitions" that would eliminate purpose-specific-shells over the
ABIs or APIs, or I'll reach across the Pacific, grab my 30 year old
copy of the XINU text and throw it at you. ;-)
If you aren't willing to learn what Apache is and is not, please don't ask the question. 


It has also occurred to me on several occasions that it implements its
own security model, and provides an alternate path into the system
resources (file system, etc.) that sometimes circumvents the native
security model.



Yes, it has some security features built in.  But it cannot circumvent the
native security model.  If an application could do that, the security model
in Debian would be worthless.


Yes and no, and if you would bother yourself to think beyond whatever
wall stands between you and me, I think you would not have said that.
You seem to have a problem with "whatever wall stands between you and me", not me. I'm just trying to answer your question. But you are unwilling to learn. 


I mean, in the parent thread to this, you laid out quite well the
problems of application support files being owned by root -- the
problem of who gets/has to edit them. You can see the larger issues if
you will.
Yes, and who can own the files has nothing to do with whether Apache is a shell or not. 


And I note that I prefer the native Unix basic security model not to
be circumvented.



It cannot be.


If that were true, why would Apache (or any other web server) ever
have security advisories?
Because Apache has added additional security features to limit what people can do from the web. These features are in addition to those of Linux (and Windows), not a replacement for them. 


I have other thoughts on the subject, but my wife says we have to go
do the family new-year's stuff. Be interested in comments.



Learn how security works.

Jerry


That's not a comment I'm interested in.



Then don't ask the question.

Jerry
Reply to: