[4993] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Christopher Petrilli)
Mon Apr 7 13:57:01 1997
Date: Mon, 7 Apr 97 08:57:10 -0400
From: Christopher Petrilli <petrilli@amber.org>
To: "Prentiss Riddle" <riddle@is.rice.edu>, "Richard Costine" <rjc@n2k.com>
cc: <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
In reply to Prentiss Riddle at riddle@is.rice.edu:
>> Agreed. Sendmail is a beastie that should not be run as root on any
>> system exposed to the 'net. (Along with Ichat, Apache and any other big,
>> burly, and potentially security-hole-laden code).
>Could you post a short summary of what you know about security problems
>with Apache? And would you consider Apache to be less safe than NCSA
>httpd?
I believe the point is more accurately that the larger a system becomes,
the more likely it is to have unforseen and unpredictable interactions
which cause security breaches. This is something along the lines of the
law of entropy.
Apache is definately not "less safe" than NSCA, but nor is it necessarily
more safe. It does seem to have a more active base of developers, but
whether that is good or bad is something else entirely.
If you're running it, I would recommend you run an absolute minimal
server on port 80, an run the rest on a totally untrusted port, like
8080, thereby elimanting the need to even start the server as root. This
would at least restrict the damage that could be done.
Again, this is all principle. The basic theory is that if you can't
PROVE it's trustable, then it isn't. Don't trust ANYTHING.
Christopher
