[5023] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Apr 10 15:10:02 1997
To: Phillip M Hallam-Baker <hallam@ai.mit.edu>
Date: Wed, 9 Apr 1997 10:39:45 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: ben@algroup.co.uk, petrilli@amber.org, riddle@is.rice.edu, rjc@n2k.com,
www-security@ns2.rutgers.edu
In-Reply-To: <199704090544.BAA03146@life.ai.mit.edu> from "Phillip M Hallam-Baker" at Apr 9, 97 01:38:25 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M Hallam-Baker wrote:
>
>
>
>
> > Apache runs a single process as root, which opens the port and then
> becomes
> > another user, then forks the listening processes. The root process never
> > interacts with the network, and its interaction with the other processes
> is
> > limited to counting, killing and creating them. So, I can't really see
> what
> > this precuation buys you.
>
> It buys you not having to audit the code and consider the security
> implications.
It doesn't by _me_ that - I've already audited the code! But I'll agree that
it buys other people who don't trust me that.
>
> I've just completed a report on a site where I removed approx. 75%
> of the functionality of UNIX for no other reason than there was no
> reason to have it in so the quickest way to be sure was to remove it.
>
> If you want to prove a system correct you have to make it simple.
> Running any process as root is a security risk. I can imagine several
> attacks against the root thread. Have you considered what happens if
> someone makes a symlink from the logfile to another location? Have
> you considered the consequences of using shared memory and the
> scoreboard system?
These things have been considered, yes.
>
> I would want a separate audit for every module that was in Apache.
>
> If you run Thau's threaded hack then the root problem would be worse
> still.
>
> If you don't need to run something as root - dot! If you have an O/S
> that gives fine grain control over privileges then give each process the
> minimum possible.
Agreed. But Apache does need to run as root if you want to open port 80 (or
any other low numbered port), as you well know.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
