running server as root (Was: Re: PUT method)

[Ingo L�tkebohle <in...@blank.pages.de>]

Lars Eilebrecht wrote:
> The better idea is IMHO to use
> a kind of wrapper for this purpose, because running a web-server as
> root is braindead, but hey we are talking about Microsoft. >;-)

Well... I guess I'm on unsafe ground here, but I am not so sure that
running a server as root is an entirely bad idea. Of course, *serving*
your typical anonymous request as root is a bad idea, but that does not
mean that there are no good reasons to run a server as root (and switch
UID's as needed).

For example, the current abundance of authentication modules is an
administrative nightmare, not to speak of the fact that quite a few of
these modules are not stress-tested. The single most stated reason for
this is the fact that the HTTP protocol does transmit the password in
clear-text, which is a rather bad excuse as anyone familiar with other
protocols should admit. In my humble opinion, it creates more problems
than it solves.

I believe that a server with better integration into the UNIX security
scheme would be interesting at least. I am reluctant to go into more
detail here, to keep the mail from growing out of bounds, but I'll
gladly do so if there's interest. Of course, if there's no interest, I'm
silent ;-)

---/dev/il

Re: running server as root (Was: Re: PUT method)

[Ingo L�tkebohle <in...@blank.pages.de>]

Marc Slemko wrote:
> It is the case of many servers.  How many security holes has wu-ftpd has
> that let you get root?  How many secuirty holes has sendmail had that let
> you get root?  How many security holes has Apache had that let you get
> root?

That hit the spot, I'm afraid.
 
> I have gone through the source.  I have patched many security holes.  I am
> not convinced it is safe.

Ok, I'm convinced. Thanks for clearing that up.

---/dev/il

Re: running server as root (Was: Re: PUT method)

[Marc Slemko <ma...@worldgate.com>]

On Sat, 12 Jul 1997, Ingo L�tkebohle wrote:

> Marc Slemko wrote:
> > If you have a real uid of root, then if someone finds something like a
> > buffer overflow in the code that is exploitable they can get root.  Sure,
> > takes another couple of syscalls but no big deal.  That is not good.
> 
> Isn't that the case for almost every other server you care to mention?

It is the case of many servers.  How many security holes has wu-ftpd has
that let you get root?  How many secuirty holes has sendmail had that let
you get root?  How many security holes has Apache had that let you get
root?

The answer to the first two is lots, the last one is darn few, if any,
provided you have it configured correctly, even though correctly was not
always documented.  Note the first two run with a real uid of root some or
most of the time, the latter doesn't.

If Apache 1.1 ran with a ruid of root and just switched euids, it would
have almost certainly let someone get root through various bugs.

> What about switching to an EUID of nobody early in the request
> processing stage?

Does no good.  

There certainly are _lots_ of cool features that would be nice to do if
Apache could switch euid at will.  I am not yet convinced the security
risks are worth it.

I have gone through the source.  I have patched many security holes.  I am
not convinced it is safe.

Re: running server as root (Was: Re: PUT method)

[Ingo L�tkebohle <in...@blank.pages.de>]

Marc Slemko wrote:
> If you have a real uid of root, then if someone finds something like a
> buffer overflow in the code that is exploitable they can get root.  Sure,
> takes another couple of syscalls but no big deal.  That is not good.

Isn't that the case for almost every other server you care to mention?
What about switching to an EUID of nobody early in the request
processing stage?

---/dev/il

Re: running server as root (Was: Re: PUT method)

[Marc Slemko <ma...@worldgate.com>]

On Sun, 13 Jul 1997, Dean Gaudet wrote:

> Not to mention that if running as uid = 0 you can symlink and read any
> file on disk ... even after the patches in 1.2.1.  Consider race
> conditions.

Naw, no one is thinking of actually serving requests as root, but just
keeping a real or saved uid of root so we can swap around through other
users for different things.  There is actually a patch or two around to do
this and it lets you implement really cool features.  If only we were
Microsoft...

OTOH, the default configuration of a certain server which I won't name
(no, it isn't from MS or NS or any big company) runs all CGIs as root and
can make it quite challenging to change that.

> 
> Dean
> 
> On Sat, 12 Jul 1997, Marc Slemko wrote:
> 
> > On Sat, 12 Jul 1997, Ingo L�tkebohle wrote:
> > 
> > > Lars Eilebrecht wrote:
> > > > The better idea is IMHO to use
> > > > a kind of wrapper for this purpose, because running a web-server as
> > > > root is braindead, but hey we are talking about Microsoft. >;-)
> > > 
> > > Well... I guess I'm on unsafe ground here, but I am not so sure that
> > > running a server as root is an entirely bad idea. Of course, *serving*
> > > your typical anonymous request as root is a bad idea, but that does not
> > > mean that there are no good reasons to run a server as root (and switch
> > > UID's as needed).
> > 
> > If you have a real uid of root, then if someone finds something like a
> > buffer overflow in the code that is exploitable they can get root.  Sure,
> > takes another couple of syscalls but no big deal.  That is not good.
> > 
> > 
> 

Re: running server as root (Was: Re: PUT method)

[Dean Gaudet <dg...@arctic.org>]

Not to mention that if running as uid = 0 you can symlink and read any
file on disk ... even after the patches in 1.2.1.  Consider race
conditions.

Dean

On Sat, 12 Jul 1997, Marc Slemko wrote:

> On Sat, 12 Jul 1997, Ingo Lütkebohle wrote:
> 
> > Lars Eilebrecht wrote:
> > > The better idea is IMHO to use
> > > a kind of wrapper for this purpose, because running a web-server as
> > > root is braindead, but hey we are talking about Microsoft. >;-)
> > 
> > Well... I guess I'm on unsafe ground here, but I am not so sure that
> > running a server as root is an entirely bad idea. Of course, *serving*
> > your typical anonymous request as root is a bad idea, but that does not
> > mean that there are no good reasons to run a server as root (and switch
> > UID's as needed).
> 
> If you have a real uid of root, then if someone finds something like a
> buffer overflow in the code that is exploitable they can get root.  Sure,
> takes another couple of syscalls but no big deal.  That is not good.
> 
> 

Re: running server as root (Was: Re: PUT method)

[Marc Slemko <ma...@worldgate.com>]

On Sat, 12 Jul 1997, Ingo L�tkebohle wrote:

> Lars Eilebrecht wrote:
> > The better idea is IMHO to use
> > a kind of wrapper for this purpose, because running a web-server as
> > root is braindead, but hey we are talking about Microsoft. >;-)
> 
> Well... I guess I'm on unsafe ground here, but I am not so sure that
> running a server as root is an entirely bad idea. Of course, *serving*
> your typical anonymous request as root is a bad idea, but that does not
> mean that there are no good reasons to run a server as root (and switch
> UID's as needed).

If you have a real uid of root, then if someone finds something like a
buffer overflow in the code that is exploitable they can get root.  Sure,
takes another couple of syscalls but no big deal.  That is not good.