Re: WebDAV and reading / writing files as system users

[Greg Stein <gs...@lyra.org>]

On Fri, Apr 30, 2004 at 08:09:13PM +0200, Graham Leggett wrote:
> André Malo wrote:
> 
> >Hmm. I suspect, the difference is, that Apache was never designed to run as
> >root.
> 
> You're assuming the root account is the most damaging account to 
> compromise. In the case of a fileserver, you will very likely want some 
> files kept more private than others. If I as a hacker wanted to steal 
> private data from an Apache + DAV fileserver, and all the files were 
> owned by user "apache", I would simply need to compromise the "apache" 
> account to have complete unrestricted access to all data on the server. 
> So, in a fileserver environment, hacking "apache" would be as 
> disasterous as hacking "root". On this basis I would argue that _in a 
> fileserver environment_ "all files under one account" is less secure 
> (aka more risky) than system based file ownerships.

This is all fine and dandy discussion, but I really don't see that Apache
should or would build in facilities that are dependent upon running as
root. We explicitly discourage that behavior, we check for it, and we even
force the package to do extra legawork (-DBIG_SECURITY_HOLE) if they want
that.

So given all the push against running as root, why would the server grow a
lot of functionality to run in that particular mode of operation?

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/