[257] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Tue Dec 13 17:05:35 1994
From: smb@research.att.com
To: David Miller <isdmill@gatekeeper.ddp.state.me.us>
cc: hharamis@cohesive.com, www-security@ns1.rutgers.edu
Date: Tue, 13 Dec 94 12:35:36 EST
Reply-To: smb@research.att.com
I don't doubt that the httpd servers have bugs which can be
exploited in some fashion. However, I would expect the damage
to be more localized to the www server system, not the entire
system. Sendmail needs to run suid root to do all the
whiz-bang stuff its famous for, and that means that once you
find a bug you have root priviledges. Httpd servers run very
nicely as user httpd so the damage can be more easily
contained.
The big weakness of sendmail -- against outside attack -- has nothing
to do with its root privileges. Rather, the problem is that it grants
access at all. Your first line of defense is keeping someone off the
machine entirely; anything that lets someone in at all is an extremely
serious matter.
httpd is a risk partly because it's complex, but also because some of
the interesting things you can do with it involve perl or sh scripts
interpreting user inputs. It's some help that you can run httpd in a
chroot'ed area, but that's not a panacea. chroot is wonderful as
a restriction on file access; it is not suitable if the enemy can
execute arbitrary programs in the chroot'ed area.
--Steve Bellovin
