On Nov 8, 2007 2:55 PM, Joshua Slive <[EMAIL PROTECTED]> wrote: > On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV > <[EMAIL PROTECTED]> wrote: > > I think you would need to elaborate on that statement. Frankly I can see a > > few differences, but I am not sure whether those are what you were thinking > > about. Apache also does a chuid/chgid effectively changing the UID/GID of > > the process to something which is hopefully not privileged. > > > > Whether Apache is started with sudo or is suid root, anyone able start an > > Apache instance with the configuration of his/her choice can do bad things > > on the server. > > No, if apache is started with normal user privileges, it can't do harm > beyond the privileges of that user. By setting apache suid root, > anyone on your system can obtain complete root access by using the -f > flag to specify a config file. (I won't give specifics of what you > need to put in the config file, but it is quite easy for anyone with > some apache knowledge.)
You could use a wrapper script (as I do) that the user can't change. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
