[5038] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Sat Apr 12 01:45:10 1997
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
To: <www-security@ns2.rutgers.edu>
Date: Fri, 11 Apr 1997 20:07:10 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
This is a multi-part message in MIME format.
------=_NextPart_000_01BC46B3.F056C540
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
----
>>If you run Linux I would suggest patching the TCP/IP stack to remove
this
>>restriction, allowing processes in a group INET to connect to low
numbered
>>ports.
>
>You then make it very easy for non-privelaged processes to masquerade
as OS
>services. An unpriveleged user could run a program that pretends to
be a
>mailer running on port 25, but which in fact is a malicious program
that
I was not proposing allowing any process to connect to ports under
1024, merely those in a particular group or otherwise restricted. If
you
don't want a user to connect to low numbered ports don't give them
INET privs.
UNIX does not give adequate control over privs which is why I
suggested extending the trust model.
>The best way of dealing with the root problem if you're really
paranoid is
>to put a chroot'ed su wrapper around the httpd invokation and run it
from
>inetd, i.e. make a script called httpd:
I disagree very strongly. Its a kludge to get round an inadequate O/S.
Fix the O/S if you can rather than try gluing together ad hoc stuff.
Phill
------=_NextPart_000_01BC46B3.F056C540
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIIGVAYJKoZIhvcNAQcCoIIGRTCCBkECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBUMw
ggU/MIIEqKADAgECAhBhQxVohIHU1aLeK14myavFMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcT
CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzA0MTAwMDAwMDBaFw05ODA0MTAy
MzU5NTlaMIIBGzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD
VQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFC
LkxURChjKTk2MScwJQYDVQQLEx5EaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQxJDAiBgNV
BAMTG1BoaWxsaXAgTWFydGluIEhhbGxhbS1CYWtlcjEgMB4GCSqGSIb3DQEJARYRaGFsbGFtQGFp
Lm1pdC5lZHUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn1xytd7KYvG9xC2rzkxgAmoQLavzeX5J
hSRifuyeS0Ib8m4juKZA+SM6K+C8PAt+nfRu2/QtDFlS6KRs/ty8rQIDAQABo4ICfTCCAnkwCQYD
VR0TBAIwADCCAh8GA1UdAwSCAhYwggISMIICDjCCAgoGC2CGSAGG+EUBBwEBMIIB+RaCAadUaGlz
IGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2UsIGFuZCBpdHMgdXNlIGlzIHN0
cmljdGx5IHN1YmplY3QgdG8sIHRoZSBWZXJpU2lnbiBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0
YXRlbWVudCAoQ1BTKSwgYXZhaWxhYmxlIGF0OiBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BT
OyBieSBFLW1haWwgYXQgQ1BTLXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBW
ZXJpU2lnbiwgSW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyBV
U0EgVGVsLiArMSAoNDE1KSA5NjEtODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNpZ24sIElu
Yy4gIEFsbCBSaWdodHMgUmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElFUyBESVNDTEFJTUVEIGFu
ZCBMSUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAsMCoW
KGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyAwEQYJYIZIAYb4QgEBBAQD
AgeAMDYGCWCGSAGG+EIBCAQpFidodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9D
UFMwDQYJKoZIhvcNAQEEBQADgYEAJh3+fz9jUp3TQecpDPMYoZLUJ42ncGftpS00xNE8ILttcpp9
CPSB38TMpr0JIyetRoMCB6M4Sq5IrNadWE/Ot5Rj//x8GjP5f2UWjZnenvCgSGbZdy0d0j+9jk9O
+sDZ2f7fKCMYabUDVatyJfIhLVlxuXChUKdiCiEiUEjOtnUxgdowgdcCAQEwdjBiMREwDwYDVQQH
EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENs
YXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXICEGFDFWiEgdTVot4rXibJq8UwCQYFKw4D
AhoFADANBgkqhkiG9w0BAQEFAARAnbH/mOkC0XSG8pxewPibyyb6PGBPXSQ9cE+C3LhWvOrWj7GF
2a5v8xfv4LwuAwBt/qNMShHXbqoVbPpWJS6oUA==
------=_NextPart_000_01BC46B3.F056C540--
