You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Evans <te...@googlemail.com> on 2008/09/04 16:55:33 UTC
Re: [users@httpd] How to start Apache automatically with
certificate?
On Wed, 2008-09-03 at 12:12 -0400, Joseph S D Yao wrote:
> Doing everything as root is just plain bad security. Plan around it.
Doing everything as root IS bad, and I don't think a single person has
suggested it. What they have suggested is having apache started by root
to allow it to acquire privileged resources, such as keys, sockets, log
file handles etc, before dropping privileges.
They've also suggested that their conf files be owned by root, and only
readable by the apache user, which you also disagree with.
Both of these arguments are eminently correct, and your disagreements to
them are just plain wrong.
If you do not start apache as root and then drop privileges, it means
that any resources required to start their server will be accessible by
the web server. This in turn means that if any exploit is found and
exposed in your server, the attacker would have the means to truncate
your log files (covering tracks) and impersonate your server in SSL
transactions - effectively do a man in the middle attack.
If the servers conf file is not owned by root, then generally that is
okay, as long as it is not writable by the user running apache. I would
personally still have it owned by root.
Your security advice, from what I've seen, is at best misinformed, and
at worst it is negligent. I urge anyone reading this thread to check
some reputable sources before implementing any of Joseph's suggestions.
Cheers
Tom
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Krist van Besien <kr...@gmail.com>.
On Thu, Sep 4, 2008 at 10:51 PM, Joseph S D Yao <js...@tux.org> wrote:
> I did figure someone would point out that I'd said more words than those
> in the last entry. I really don't want to add any more to this topic.
> If anyone else can stand up and say that THEY have admin'ed Unix, Linux,
> BSD, etc. for over 35 years, and NEVER seen a mistake made worse because
> the person making the mistake was su'ed or sudo'ed to root, then I will
> applaud that person's good luck - SILENTLY.
In the end always make backups. I've in my career (only 15 years) once
deleted files as root by accident. But it has only happened once, and
it was in the first year of my career. BTW, I'm impressed that you
were already admin'ing Unix when there were only a few hundred
installations worldwide...
A lot of things can go wrong. A lot of things are run as root even
when it's not obvious. I've seen a system thoroughly wrecked by a
typing error in a postinstall script included in a sun package.
Luckily this was a test system, and it was exactly to catch such
things that the package was installed on a test system first. That's
how you do it in a real production environment. I don't edit
httpd.conf on any production server. I do it on an integration
machine, ship a package to a test machine, and if it passes the tests
(executed by someone else) it goes on production.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 04:35:53PM -0400, Eric Covener wrote:
...
> That's not all you've been saying.
>
> | You should be running your servers as some other user, say, "apache",
> | and so the uncloaked cert files should be stored as read-only by "apache".
I did note at one point that my original note had been dashed off
hastily, and that it had some flaws. For this I apologize.
If you are running your Web server as the account "apache" then, as has
been pointed out, you should have your content files owned by, say
"wwwadmin" [to use the most recent suggestion]. The cert files can be
owned by the same account or, better, another one that is solely for the
certs rather than the Web content updaters, if this is a multi-person
show.
I did figure someone would point out that I'd said more words than those
in the last entry. I really don't want to add any more to this topic.
If anyone else can stand up and say that THEY have admin'ed Unix, Linux,
BSD, etc. for over 35 years, and NEVER seen a mistake made worse because
the person making the mistake was su'ed or sudo'ed to root, then I will
applaud that person's good luck - SILENTLY.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Sep 4, 2008 at 4:21 PM, Joseph S D Yao <js...@tux.org> wrote:
>> The refutation is that in order to bind to port 80, have access to keys,
>> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
>> role user, that's fine, it's one degree removed from root. ...
>
>
> Which is all I've been saying. Thanks for finally agreeing.
That's not all you've been saying.
| You should be running your servers as some other user, say, "apache",
| and so the uncloaked cert files should be stored as read-only by "apache".
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:
>> Joseph S D Yao wrote:
>>> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
>>> ...
>>>> They've also suggested that their conf files be owned by root, and only
>>>> readable by the apache user, which you also disagree with.
>>> ...
>>>
>>> Nobody has come up with a good argument for this, or a refutation of my
>>> argument against it.
>> The refutation is that in order to bind to port 80, have access to keys,
>> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
>> role user, that's fine, it's one degree removed from root. ...
>
> Which is all I've been saying. Thanks for finally agreeing.
No, I disagree with you above unless the caveats and warnings that you have
elided above are restored. People reading the above (with no context) are
likely to deploy far more vulnerable configurations than the conventional
"maintain httpd.conf files as root" wisdom.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:
> Joseph S D Yao wrote:
> > On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
> > ...
> >> They've also suggested that their conf files be owned by root, and only
> >> readable by the apache user, which you also disagree with.
> > ...
> >
> > Nobody has come up with a good argument for this, or a refutation of my
> > argument against it.
>
> The refutation is that in order to bind to port 80, have access to keys,
> etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
> role user, that's fine, it's one degree removed from root. ...
Which is all I've been saying. Thanks for finally agreeing.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joseph S D Yao wrote:
> On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
> ...
>> They've also suggested that their conf files be owned by root, and only
>> readable by the apache user, which you also disagree with.
> ...
>
> Nobody has come up with a good argument for this, or a refutation of my
> argument against it.
The refutation is that in order to bind to port 80, have access to keys,
etc, httpd must start as root. If the conf files are owned by an "wwwadmin"
role user, that's fine, it's one degree removed from root. But if they
are owned by the user which httpd process runs-as (after User directives),
then the system can be exploited;
whomever configures httpd.conf ultimate is running code as-root initially.
Perhaps you have modperl configuration, or exploit an overrun of config
syntax parsing. Whatever, your conf is run as root, so it is no less secure
to demand these files are edited by root.
>> Your security advice, from what I've seen, is at best misinformed, and
>> at worst it is negligent. I urge anyone reading this thread to check
>> some reputable sources before implementing any of Joseph's suggestions.
>
> I urge anyone reading this thread to actually read it.
Please stop pushing an ill advised agenda until you thoroughly understand
httpd security. Tom Evans post was the most succinct summary presented
yet, and I find no fault in it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to start Apache automatically with certificate?
Posted by Joseph S D Yao <js...@tux.org>.
On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote:
...
> They've also suggested that their conf files be owned by root, and only
> readable by the apache user, which you also disagree with.
...
Nobody has come up with a good argument for this, or a refutation of my
argument against it.
> If you do not start apache as root and then drop privileges, it means
> that any resources required to start their server will be accessible by
> the web server. ...
Now when did I e v e r suggest that? I agree with your condemnation
of it whole-heartedly.
> If the servers conf file is not owned by root, then generally that is
> okay, as long as it is not writable by the user running apache. I would
> personally still have it owned by root.
But, you see, then you have to BE root to edit it - 'sudo counts - and
this is what you agreed above was bad.
> Your security advice, from what I've seen, is at best misinformed, and
> at worst it is negligent. I urge anyone reading this thread to check
> some reputable sources before implementing any of Joseph's suggestions.
I urge anyone reading this thread to actually read it.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org