You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "R.J. Kraaij" <te...@worldonline.nl> on 1999/02/01 11:50:11 UTC

[ apache on win32 Service /network shares]

Hi, this is my first post here, so if i'm doing something wrong,
Please Tell it me personally :o) 

>     * who should run the service?  Who exactly is the "system account"?
>       That _really_ sucks.  Can we recommend running Apache as some 
>       other user?
The Service uses it accounts it's running on to  Hand it over to called
devices. However there are expection. For instance, Pathworks On NT. When
having a user logged into the system and having a drive mapped, the
service is capable of access the drive by using the users credits..

This is one of the leaks i personaly experimented. Microsoft iis3 is also
vurnerable for this leak. infact, we have been using this trick
ourself, to let us access certain shares with permission problems...

So _high_ care should be taken when logging into a system where a
Webserver is running. be sure your not using a rare networkmapping Client.

because, then, a user, with access to any server scripting, could,
Theoritically (and practilly, tested by myself) access Your mapped Network
devices using _your_ account. (just by doing a openfile on your
Mappedletter:\Drive\

this does not count for smb network shares.


----
Background of author: I'm Running 5 Intranet webservers on IIS, 
And an Internet-Apache-Module-Chatserver.


   -- Reinder Kraaij