You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by John Wojtowicz <wo...@tcs-sec.com> on 2000/01/20 18:00:20 UTC
apache Auth password files
I'm curious about Apache security in regards to it's Auth password
files, and I'm looking for some comments.
Does apache on Unix provide any DAC (file permission) protection,
to its Auth password files?
>From my understanding of Apache, it's auth password files must
be readable by the user or group that the "listener" processes run
as, which is defined by the User and Group directives.
This comes as a result of the fact that these Auth password
files are opened on a per request basis, by the listener processes.
This is unlike the log files which are opened by the "listen-spawner"
process which runs as root and whose file descriptors
are passed via fork() to the listener processes. (NOTE:
opening the password files initially as root, and passing descriptors,
along to the child processes may be as bad or worse as a
security model).
This doesn't quite match the Unix /etc/shadow model, in which
only a privileged process (one running as root) can read the
/etc/shadow file which contains encrypted passwords.
The current model seems to rely on CGI's being programmed correctly,
and lack of buffer overflows in Apache (impossible with it's pool
mechanism???) to prevent the Auth password files from being
grabbed by a malicious web request.
Anyway, I was just looking for some comment on this particular
security aspect of Apache's design.
Thanks,
John
--
John Wojtowicz, Secure Systems Engr. ph: (703) 318-7134
Trusted Computer Solutions, Inc. fax: (703) 318-5041
13873 Park Center Rd. Suite 225 email: jwojtowicz@tcs-sec.com
Herndon, VA 20171 http://www.tcs-sec.com/
Re: apache Auth password files
Posted by Greg Stein <gs...@lyra.org>.
I typically place the password file in a directory that is not mapped to
the URL namespace. For example:
/home/gstein/my_auth_file
/home/gstein/public_html/.htaccess ; this refers to my_auth_file
There is nothing you can do about CGI files grabbing them, unless you
happen to use suEXEC (and enable reading by the web process, but disallow
for all CGI users).
If security is an issue, then don't use password files. Personally, I use
mod_auth_mysql and put all the data into MySQL. Of course, then maybe
somebody would write a PHP script to snarf the data :-)
Note that in these various cases that the passwords are stored in an
encrypted form. Not that it helps in the long run, but it helps somewhat.
Also, the pool architecture does not prevent buffer overflows. You could
still alloc something within a pool and overwrite the bugger, causing
later messups (primarily, a DoS rather than a sophisticated attack). Of
course, Apache could still have fixed-size buffers somewhere that are
subject to overflows and therefore to complex attacks. (it doesn't have
fixed-size vars, but the pool architecture doesn't prevent it)
... that's about it for my brain so far.
Cheers,
-g
On Thu, 20 Jan 2000, John Wojtowicz wrote:
> I'm curious about Apache security in regards to it's Auth password
> files, and I'm looking for some comments.
>
> Does apache on Unix provide any DAC (file permission) protection,
> to its Auth password files?
>
> >From my understanding of Apache, it's auth password files must
> be readable by the user or group that the "listener" processes run
> as, which is defined by the User and Group directives.
>
> This comes as a result of the fact that these Auth password
> files are opened on a per request basis, by the listener processes.
> This is unlike the log files which are opened by the "listen-spawner"
> process which runs as root and whose file descriptors
> are passed via fork() to the listener processes. (NOTE:
> opening the password files initially as root, and passing descriptors,
> along to the child processes may be as bad or worse as a
> security model).
>
> This doesn't quite match the Unix /etc/shadow model, in which
> only a privileged process (one running as root) can read the
> /etc/shadow file which contains encrypted passwords.
>
> The current model seems to rely on CGI's being programmed correctly,
> and lack of buffer overflows in Apache (impossible with it's pool
> mechanism???) to prevent the Auth password files from being
> grabbed by a malicious web request.
>
> Anyway, I was just looking for some comment on this particular
> security aspect of Apache's design.
>
> Thanks,
>
> John
> --
> John Wojtowicz, Secure Systems Engr. ph: (703) 318-7134
> Trusted Computer Solutions, Inc. fax: (703) 318-5041
> 13873 Park Center Rd. Suite 225 email: jwojtowicz@tcs-sec.com
> Herndon, VA 20171 http://www.tcs-sec.com/
>
--
Greg Stein, http://www.lyra.org/