[5006] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Wed Apr 9 09:49:12 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: <ben@algroup.co.uk>, "Christopher Petrilli" <petrilli@amber.org>
Cc: <riddle@is.rice.edu>, <rjc@n2k.com>, <www-security@ns2.rutgers.edu>
Date: Wed, 9 Apr 1997 01:38:25 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
> Apache runs a single process as root, which opens the port and then
becomes
> another user, then forks the listening processes. The root process never
> interacts with the network, and its interaction with the other processes
is
> limited to counting, killing and creating them. So, I can't really see
what
> this precuation buys you.
It buys you not having to audit the code and consider the security
implications.
I've just completed a report on a site where I removed approx. 75%
of the functionality of UNIX for no other reason than there was no
reason to have it in so the quickest way to be sure was to remove it.
If you want to prove a system correct you have to make it simple.
Running any process as root is a security risk. I can imagine several
attacks against the root thread. Have you considered what happens if
someone makes a symlink from the logfile to another location? Have
you considered the consequences of using shared memory and the
scoreboard system?
I would want a separate audit for every module that was in Apache.
If you run Thau's threaded hack then the root problem would be worse
still.
If you don't need to run something as root - dot! If you have an O/S
that gives fine grain control over privileges then give each process the
minimum possible.
Phill
