[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Freeside installation problem

To: "Ivan Kohler" <ivan@sisd.com>, "News Subsystem" <news@bmccane.maxbaud.net>
Subject: Re: Freeside installation problem
From: "Neal Rigney" <neal@pernet.net>
Date: Thu, 26 Mar 1998 10:11:39 -0600
Cc: <ivan-freeside@sisd.com>
Delivered-To: mailing list ivan-freeside@sisd.com
Mailing-List: contact ivan-freeside-help@sisd.com; run by ezmlm

Actually, I think apache is root to open port 80, then immediately changes
to the user specified in the configuration.  apachesuid switches back to
root in order to switch users to the user that owns the script.  It's
extremely safe(the code ONLY switches users, and is very short).

As far as I'm aware, the root apache never actually looks at port 80.  Only
the children do.

Here's a ps from our web server(abreviated):
root     23958  0.0  2.2   808  664  ??  Ss   12Mar98    5:08.61 ./httpd
httpd     4967  0.0  3.1   836  952  ??  S     9:44AM    0:00.10 ./httpd
httpd     5079  0.0  3.4   868 1044  ??  S    10:02AM    0:00.28 ./httpd
...

--
Neal Rigney, PERnet Communications, (409)729-4638
neal@mail.pernet.net
"I've seen better bandwidth between two gorillas with flash cards!"
-----Original Message-----
From: Ivan Kohler <ivan@sisd.com>
To: News Subsystem <news@bmccane.maxbaud.net>
Cc: {/// Don Spence \} <don@ultimanet.com>; ivan-freeside@sisd.com
<ivan-freeside@sisd.com>
Date: Thursday, March 26, 1998 12:59 AM
Subject: Re: Freeside installation problem


>-----BEGIN PGP SIGNED MESSAGE-----
>
>On Wed, 25 Mar 1998, News Subsystem wrote:
>
>> On Thu, 26 Mar 1998, Ivan Kohler wrote:
>>
>> > You may also want to take a look at the suExec feature of Apache, which
>> > appears to provide similar functionality - it executes scripts as the
>> > owner of the script (thus the setuid bit would not be needed).  I
haven't
>> > tried this myself.
>> >
>> I believe that it is necessary to have apache running as root in order to
>> use the suExec feature.  This is a major security problem, much worse
>> that setting the suid bit on a users files.
>
>The documentation (specificly suexec.html from the manual) seems to
>indicate that the suexec wrapper itself is setuid root, but that apache
>does not run as root.  I would guess that given Apache's popularity (and
>wide distribution of source code :) ), a correctly installed suexec should
>be fairly safe.
>
>- --
>Ivan Kohler <ivan@sisd.com> - finger for PGP key
>Silicon Interactive Software Design - http://www.sisd.com/
>"I want to go on a mountain-top / with a radio and good batteries
> play a joyous tune / and free the whole human race from suffering" -Bjork
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNRoImr7OPBeQJv09AQGE/wP9FRrIdUeGi+aFRLoTi1V0GLt0QUpuYa0K
>xoIxnv5V6KSnMcDkte+noB+2sDQiXd050yRlyYX3Bm9eHgkTra7dLwoPRC+tn3BR
>06Ly0mvLDJIsacd7fkuevSnzo4LBH0IAuupW3WGeyho7vtiymdaCpNI5W8i7EII5
>VNw46eWwyIQ=
>=JAPh
>-----END PGP SIGNATURE-----
>

Prev by Date: Re: Freeside installation problem
Next by Date: Re: Freeside installation problem
Prev by thread: Re: Freeside installation problem
Next by thread: Unitialized value?
Index(es):
- Date
- Thread