You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Krist van Besien <kr...@gmail.com> on 2008/09/01 06:34:09 UTC
Re: [users@httpd] How to start Apache automatically with certificate?
On Fri, Aug 29, 2008 at 18:43, Joseph S D Yao <js...@tux.org> wrote:
> On Fri, Aug 29, 2008 at 08:48:34AM +0200, Krist van Besien wrote:
> ...
>> You need super user powers to maintain a webserver anyway.
>
> Why?
Because you need to start apache as root if you want it to bind to ports > 1024
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 07:55:09AM +0200, Krist van Besien wrote:
> On Wed, Sep 3, 2008 at 18:12, Joseph S D Yao <js...@tux.org> wrote:
>
> > Doing everything as root is just plain bad security. Plan around it.
>
> That is why sudo is so convenient. I never meant that you would need
> to do everything as root, only that you needed to be able to do things
> as root. I almost never do a su - root, and use sudo almost whenever I
> need root powers.
>
> I keep my config files writable only by root, and use sudoedit to edit
> them. I use sudo apachectl to restart apache etc...
Sudo without "-u ..." is root. Plan how to do without it. Does it
matter whether you say:
$ su
# cd /
# ls tmp/"temp files "*
# rm -rf tmp/"temp files" *
or
$ cd /
$ ls tmp/"temp files "*
$ sudo rm -rf tmp/"temp files" *
? Either way, you're history.
Have your files owned by a system account and readable by the Web
server account, and 'su' or 'sudo' to that account to RCS control and
edit them.
Then again, this may be a level of effort too great for casual Web sites
that can be easily reconstructed by hand, and where it doesn't really
matter if it is off the Web for a while. For such personal-use systems,
doing everything as "root" is fine, since the only one upset with you if
you make such a mistake, will be you. ;-)
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Krist van Besien <kr...@gmail.com>.
On Wed, Sep 3, 2008 at 18:12, Joseph S D Yao <js...@tux.org> wrote:
> Doing everything as root is just plain bad security. Plan around it.
That is why sudo is so convenient. I never meant that you would need
to do everything as root, only that you needed to be able to do things
as root. I almost never do a su - root, and use sudo almost whenever I
need root powers.
I keep my config files writable only by root, and use sudoedit to edit
them. I use sudo apachectl to restart apache etc...
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Sep 4, 2008 at 10:51 PM, Joseph S D Yao <js...@tux.org> wrote:
> I did figure someone would point out that I'd said more words than those
> in the last entry. I really don't want to add any more to this topic.
> If anyone else can stand up and say that THEY have admin'ed Unix, Linux,
> BSD, etc. for over 35 years, and NEVER seen a mistake made worse because
> the person making the mistake was su'ed or sudo'ed to root, then I will
> applaud that person's good luck - SILENTLY.
In the end always make backups. I've in my career (only 15 years) once
deleted files as root by accident. But it has only happened once, and
it was in the first year of my career. BTW, I'm impressed that you
were already admin'ing Unix when there were only a few hundred
installations worldwide...
A lot of things can go wrong. A lot of things are run as root even
when it's not obvious. I've seen a system thoroughly wrecked by a
typing error in a postinstall script included in a sun package.
Luckily this was a test system, and it was exactly to catch such
things that the package was installed on a test system first. That's
how you do it in a real production environment. I don't edit
httpd.conf on any production server. I do it on an integration
machine, ship a package to a test machine, and if it passes the tests
(executed by someone else) it goes on production.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 04:35:53PM -0400, Eric Covener wrote:
...
> That's not all you've been saying.
>
> | You should be running your servers as some other user, say, "apache",
> | and so the uncloaked cert files should be stored as read-only by "apache".
I did note at one point that my original note had been dashed off
hastily, and that it had some flaws. For this I apologize.
If you are running your Web server as the account "apache" then, as has
been pointed out, you should have your content files owned by, say
"wwwadmin" [to use the most recent suggestion]. The cert files can be
owned by the same account or, better, another one that is solely for the
certs rather than the Web content updaters, if this is a multi-person
show.
I did figure someone would point out that I'd said more words than those
in the last entry. I really don't want to add any more to this topic.
If anyone else can stand up and say that THEY have admin'ed Unix, Linux,
BSD, etc. for over 35 years, and NEVER seen a mistake made worse because
the person making the mistake was su'ed or sudo'ed to root, then I will
applaud that person's good luck - SILENTLY.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Sep 4, 2008 at 4:21 PM, Joseph S D Yao <js...@tux.org> wrote:
>> The refutation is that in order to bind to port 80, have access to keys,
>> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
>> role user, that's fine, it's one degree removed from root. ...
>
>
> Which is all I've been saying. Thanks for finally agreeing.
That's not all you've been saying.
| You should be running your servers as some other user, say, "apache",
| and so the uncloaked cert files should be stored as read-only by "apache".
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:
>> Joseph S D Yao wrote:
>>> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
>>> ...
>>>> They've also suggested that their conf files be owned by root, and only
>>>> readable by the apache user, which you also disagree with.
>>> ...
>>>
>>> Nobody has come up with a good argument for this, or a refutation of my
>>> argument against it.
>> The refutation is that in order to bind to port 80, have access to keys,
>> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
>> role user, that's fine, it's one degree removed from root. ...
>
> Which is all I've been saying. Thanks for finally agreeing.
No, I disagree with you above unless the caveats and warnings that you have
elided above are restored. People reading the above (with no context) are
likely to deploy far more vulnerable configurations than the conventional
"maintain httpd.conf files as root" wisdom.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:
> Joseph S D Yao wrote:
> > On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
> > ...
> >> They've also suggested that their conf files be owned by root, and only
> >> readable by the apache user, which you also disagree with.
> > ...
> >
> > Nobody has come up with a good argument for this, or a refutation of my
> > argument against it.
>
> The refutation is that in order to bind to port 80, have access to keys,
> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
> role user, that's fine, it's one degree removed from root. ...
Which is all I've been saying. Thanks for finally agreeing.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
> ...
>> They've also suggested that their conf files be owned by root, and only
>> readable by the apache user, which you also disagree with.
> ...
>
> Nobody has come up with a good argument for this, or a refutation of my
> argument against it.
The refutation is that in order to bind to port 80, have access to keys,
etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
role user, that's fine, it's one degree removed from root. But if they
are owned by the user which httpd process runs-as (after User directives),
then the system can be exploited;
whomever configures httpd.conf ultimate is running code as-root initially.
Perhaps you have modperl configuration, or exploit an overrun of config
syntax parsing. Whatever, your conf is run as root, so it is no less secure
to demand these files are edited by root.
>> Your security advice, from what I've seen, is at best misinformed, and
>> at worst it is negligent. I urge anyone reading this thread to check
>> some reputable sources before implementing any of Joseph's suggestions.
>
> I urge anyone reading this thread to actually read it.
Please stop pushing an ill advised agenda until you thoroughly understand
httpd security. Tom Evans post was the most succinct summary presented
yet, and I find no fault in it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
...
> They've also suggested that their conf files be owned by root, and only
> readable by the apache user, which you also disagree with.
...
Nobody has come up with a good argument for this, or a refutation of my
argument against it.
> If you do not start apache as root and then drop privileges, it means
> that any resources required to start their server will be accessible by
> the web server. ...
Now when did I e v e r suggest that? I agree with your condemnation
of it whole-heartedly.
> If the servers conf file is not owned by root, then generally that is
> okay, as long as it is not writable by the user running apache. I would
> personally still have it owned by root.
But, you see, then you have to BE root to edit it - 'sudo counts - and
this is what you agreed above was bad.
> Your security advice, from what I've seen, is at best misinformed, and
> at worst it is negligent. I urge anyone reading this thread to check
> some reputable sources before implementing any of Joseph's suggestions.
I urge anyone reading this thread to actually read it.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with
certificate?
Posted by Tom Evans <te...@googlemail.com>.
On Wed, 2008-09-03 at 12:12 -0400, Joseph S D Yao wrote:
> Doing everything as root is just plain bad security. Plan around it.
Doing everything as root IS bad, and I don't think a single person has
suggested it. What they have suggested is having apache started by root
to allow it to acquire privileged resources, such as keys, sockets, log
file handles etc, before dropping privileges.
They've also suggested that their conf files be owned by root, and only
readable by the apache user, which you also disagree with.
Both of these arguments are eminently correct, and your disagreements to
them are just plain wrong.
If you do not start apache as root and then drop privileges, it means
that any resources required to start their server will be accessible by
the web server. This in turn means that if any exploit is found and
exposed in your server, the attacker would have the means to truncate
your log files (covering tracks) and impersonate your server in SSL
transactions - effectively do a man in the middle attack.
If the servers conf file is not owned by root, then generally that is
okay, as long as it is not writable by the user running apache. I would
personally still have it owned by root.
Your security advice, from what I've seen, is at best misinformed, and
at worst it is negligent. I urge anyone reading this thread to check
some reputable sources before implementing any of Joseph's suggestions.
Cheers
Tom
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Wed, Sep 03, 2008 at 02:02:16PM +0200, Krist van Besien wrote:
> On Tue, Sep 2, 2008 at 20:18, Joseph S D Yao <js...@tux.org> wrote:
...
> > maintaining != starting
>
> Since any change to the config requires a restart maintaing a server
> requires you to be able to start it.
...
Fair. For most changes, anyway. But maintaining the server files
should not require root privileges. And if it is possible to re-start
the server without becoming root [requires some assembly - or C], then
do so.
The whole point, which seems to be missed among my earlier whimsical
phrasing and some possible mistakes on my part, is this. You should do
as little as possible as root. In the over 35 years that I've been
working on and maintaining *n*x systems, it's amazing the number of
mistakes - often lethal [for the system] - that have been made possible
because someone was doing something as root, rather than as a system
account. The corollary, of course, is that as few files as possible
should be owned by root, so that you don't have to be root to maintain
them. The ownership, if possible/necessary, should be spread around to
system accounts with different roles.
Doing everything as root is just plain bad security. Plan around it.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Sep 2, 2008 at 20:18, Joseph S D Yao <js...@tux.org> wrote:
> On Mon, Sep 01, 2008 at 06:34:09AM +0200, Krist van Besien wrote:
>> On Fri, Aug 29, 2008 at 18:43, Joseph S D Yao <js...@tux.org> wrote:
>> > On Fri, Aug 29, 2008 at 08:48:34AM +0200, Krist van Besien wrote:
>> > ...
>> >> You need super user powers to maintain a webserver anyway.
>> >
>> > Why?
>>
>> Because you need to start apache as root if you want it to bind to ports > 1024
>
>
> maintaining != starting
Since any change to the config requires a restart maintaing a server
requires you to be able to start it.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Mon, Sep 01, 2008 at 06:34:09AM +0200, Krist van Besien wrote:
> On Fri, Aug 29, 2008 at 18:43, Joseph S D Yao <js...@tux.org> wrote:
> > On Fri, Aug 29, 2008 at 08:48:34AM +0200, Krist van Besien wrote:
> > ...
> >> You need super user powers to maintain a webserver anyway.
> >
> > Why?
>
> Because you need to start apache as root if you want it to bind to ports > 1024
maintaining != starting
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org