On Nov 8, 2007 9:12 AM, Axel-Stephane SMORGRAV <[EMAIL PROTECTED]> wrote: > -----Message d'origine----- > >De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Joshua Slive > >Envoyé : jeudi 8 novembre 2007 14:56 > >À : users@httpd.apache.org > >Objet : Re: [EMAIL PROTECTED] apache as non-root > > > >On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV <[EMAIL PROTECTED]> wrote: > >> Whether Apache is started with sudo or is suid root, anyone able start an > >> Apache instance with the configuration of his/her choice can do bad things > >> on the server. > > > >No, if apache is started with normal user privileges, it can't do harm > >beyond the privileges of that user. By setting apache suid root, anyone on > >your system can obtain complete root access by using the -f flag to specify > >a config file. (I won't give specifics of what you need to put in the config > >file, but it is quite easy for anyone with some apache knowledge.) > > > Well, Joshua, that was basically what I was trying to say. If Apache is > started with root privileges (whether sudo or setuid) with a carefully > crafted configuration, bad things can happen. > > So the question is rather whether you can entrust some or all legitimate > non-root users of the host with the ability to start Apache with root > privileges so it can bind to reserved ports, and in that case how you choose > to do so. >
Ok. I misread your message. What people should remember is that anyone who can control the main apache config files can gain the privileges of the user who starts apache. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
