[5013] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Antonio Paulo Salgado Forster)
Thu Apr 10 10:20:56 1997
Date: Thu, 10 Apr 1997 08:46:26 -0300 (EST)
From: Antonio Paulo Salgado Forster <forster@hq.rnp.br>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.94.970408160934.283B-100000@wog>
Errors-To: owner-www-security@ns2.rutgers.edu
Hey Folks!
I know it may be out of topic, but I've been seeing some discussion about
ports... so I'd like to ask you guys something about this...
how does the browser know the port number? I thought when the browser is
going to send a request to some host xxx.yyy.zz, it would try a connetion
to that host on some specified port, but that doesnt happen..Does the host
tell the browser what port to connect? how does it work? Could someone
tell me?
TIA
--
Antonio Paulo Salgado Forster
Operacoes em Redes - RNP
On Tue, 8 Apr 1997, Paul Phillips wrote:
> Date: Tue, 8 Apr 1997 16:16:09 -0700 (PDT)
> From: Paul Phillips <paulp@go2net.com>
> To: Christopher Petrilli <petrilli@amber.org>
> Cc: Prentiss Riddle <riddle@is.rice.edu>, Richard Costine <rjc@n2k.com>,
> www-security@ns2.rutgers.edu
> Subject: Re: Security issues in Apache?
>
>
>
> On Mon, 7 Apr 1997, Christopher Petrilli wrote:
>
> > If you're running it, I would recommend you run an absolute minimal
> > server on port 80, an run the rest on a totally untrusted port, like
> > 8080, thereby elimanting the need to even start the server as root. This
> > would at least restrict the damage that could be done.
>
> This buys you nothing. A call to setuid() by root gives away its
> root privileges forever and ever. If something so fundamental to
> the Unix permission model did not work properly, you'd be in extremely
> deep water anyway. There is nothing particularly "trusted" about
> port 80 vs. port 8080, it's just a question of who can bind to it.
>
> Are you suggesting that the server on port 80 turn around and issue
> all its requests to port 8080? Even if there were some win to this,
> you couldn't do it unless performance was an irrelevant consideration.
> But, again, this buys you nothing (and introduces an unnecessary layer
> of complexity.)
>
> --
> Paul Phillips | If you have received a letter inviting you to speak at the
> Master of Boggle | dedication of a new cat hospital, and you hate cats, your
> <paulp@go2net.com> | reply, declining the invitation, does not necessarily have
> +1 206 447 1595 | to cover the full range of your emotions. --Elem. of Style
>
>
