[260] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Tue Dec 13 18:33:04 1994
From: hallam@dxal18.cern.ch
To: smb@research.att.com, www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
In-Reply-To: Your message of "Tue, 13 Dec 94 12:35:36 EST."
<199412131856.NAA02435@ns1.rutgers.edu>
Date: Wed, 14 Dec 94 05:12:45 +0900
Reply-To: hallam@dxal18.cern.ch
>The big weakness of sendmail -- against outside attack -- has nothing
>to do with its root privileges. Rather, the problem is that it grants
>access at all. Your first line of defense is keeping someone off the
>machine entirely; anything that lets someone in at all is an extremely
>serious matter.
Well I disagree here, there are numerous other programs that grant access
to all without causing havoc in the sendmail league. Sendmail is one of those
utilities that should be banned under the Geneva convention.
Granting access to all is a risk, granting access to all through a program with
a history like sendmail is an entirely different class of risk. More like
lending money to Robert Maxwell or letting your daughter go out with
Geoffrey Dahmler [OK so the examples were changed
>httpd is a risk partly because it's complex, but also because some of
>the interesting things you can do with it involve perl or sh scripts
>interpreting user inputs. It's some help that you can run httpd in a
>chroot'ed area, but that's not a panacea. chroot is wonderful as
>a restriction on file access; it is not suitable if the enemy can
>execute arbitrary programs in the chroot'ed area.
This is one reason why I am very much against the use of perl and even more
against the use of sh scripts. OK so they may save some development time which
is probably saying more that C is not an adequate language for the task but the
administration costs are definitely higher. Personnaly I don't like the idea of
spawning programs off a server daemon at all - I much prefer monolithic code
with everything needed compiled into one executable. If you can sleep OK at
night running Perl scripts then OK, personaly I hacked up a decent set of string
handling routines for C and added some assoc list stuff after which Perl offers
few advantges over C except faster compile time.
The point about firewalls is well taken though. httpd is not a firewall proxy.
TIS have one of those. Really what a firewall achieves is what chroot attempts
to provide - a safe partition.
>Because the code it complex, I don't trust it. the Web Server needn't
>run as root (or bin) and it's needn't see anything outside it's file tree.
Me neither, this is why I'm working on a code technique that should allow the
complexity of the code to be drastically reduced. httpd has as a design aim "run
on anything". That design aim is inconsistent with "have uncomplicated code" :-(
I'd like to have the code synthesised from the spec so that only the correctness
of the translator was an issue.
Phill H-B
