I Guess Lenny Will Release
In September In October In November In December In January (2009) Later Still Whenever It Is Ready ( 13 votes ~ 0 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Running network services as a non-root user.:
#7 Re: Running network services as a non-root user. Posted by simonw (84.45.xx.xx) on Sat 22 Apr 2006 at 12:12 You can it is called the "suexec security model", and Apache defaults to not using it for security reasons. http://httpd.apache.org/docs/2.0/suexec.html In most cases ISPs make the owner of the files Apache serves a specific user, and just gives www-data read permission, in such circumstances the dangers aren't huge, and mostly revolve around what else you let Apache trust users for (htaccess files, Overrides, and ModPerl etc), and dynamic content. Where we've seen compromises with Apache webhosting it is usually followed by loading stuff to "tmp", and a root privilege elevation (or failed attempts at same), as exploiting the ownership of the www-data process is difficult and complex (or at least highly variable) to exploit. Where as with root or another user account it is easy to do abusive things - load up CGI scripts for sending email or phishing etc. i.e. the first thing all the successful exploits have done, is to find an escape from the security model you think is broken. Probably the biggest problem is the number of slightly iffy apps, whose install instructions think "chmod 777" is the solution to security constraints, but I think that isn't Apaches fault, and I haven't seen that many problems as a result as Apache doesn't have a "write to a file I can write to" action by default, that is always added in later (WebDAV, PHP, Perl etc). Sure there is a problem with a customer trying to attack another customers site, but even here proper permissions mean this is limited in scope to files with the wrong permissions, and in most cases you have contracts, and agreements with customers. Most of the bad guys are not your paying customers.
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
