You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/06/28 21:40:01 UTC

more security thoughts

I've been thinking more about the silly people who run their server
as root.  There are probably a half-dozen attacks that allow you to read
any file on the system as the uid/gid of the webserver itself.  I'm not
particularly happy about having to fix these (you have to fstat() after
an open() to make sure you opened what you thought you were going to).
I'd rather just print a big fat warning in the logs and on stderr if
the server is run as root.

Or better yet, just exit(1) if User root, and require rebuilding with
-DSHOOT_MY_FOOT_OFF to get past that point.

We also need to document a "secure" config a bit better... i.e.

<Directory />
    AllowOverrides None
    Options None
    order deny,allow
    deny from all
</Directory>

<Directory /path/to/documentroot>
    AllowOverrides ???
    Options ???    # with SymLinksIfOwnerMatch, and not FollowSymLinks
    order allow,deny
    allow from all
</Directory>

<Directory /home/*/public_html>
    AllowOverrides ???
    Options ???    # with SymLinksIfOwnerMatch, and not FollowSymLinks
    order allow,deny
    allow from all
</Directory>

<Directory /path/to/cgi-bin>
    AllowOverrides None
    Options ExecCGI
    order allow,deny
    allow from all
</Directory>

Or something like that.

Dean

Re: more security thoughts

Posted by Marc Slemko <ma...@worldgate.com>.

On Sat, 28 Jun 1997, Dean Gaudet wrote:

> I've been thinking more about the silly people who run their server
> as root.  There are probably a half-dozen attacks that allow you to read
> any file on the system as the uid/gid of the webserver itself.  I'm not
> particularly happy about having to fix these (you have to fstat() after
> an open() to make sure you opened what you thought you were going to).
> I'd rather just print a big fat warning in the logs and on stderr if
> the server is run as root.

I'm not sure that all of the possible race conditions can be fixed
period.

I'm not sure if doing what you suggest would help the morons, but it
may be a good idea... do something, ranging from a minimum of whining 
to a maximum of just not working if the server is run as root.