[CLUE-Tech] Apache on Debian

[Jed S. Baer]

On Sat, 2 Nov 2002 11:10:55 -0700
"Timothy C. Klein" <teece at silverklein.net> wrote:

> I did not explain well.  Say there is a bug in apache, and it allows one
> to try an modify an url.  These kinds of bugs are common.  With the way
> Debian sets it up, if Apache has a bug, and an evil user tries to
> overwrite a file in var-www, the *operating system* will stop them.
> Many script kiddies look for these kinds of exploits, that allow one to
> do nothing more than change the web page of a site.  With this simple
> set up, such script kiddies are locked out, unless they also know some
> way to get root on the box.
> 
> It really is more secure.  The apache process can not alter files in
> var-www, as it does not have the permissions.  It shouldn't need to.
> If it tries, it could be a bug or a crack attempt, and this prevents it.

No, you explained just fine. My point is only that the same protection is
possible if, for example, the httpd process runs as foghorn:foghorn, and
the files in $DOCUMENT_ROOT are owned by leghorn:leghorn. The files don't
need to be owned by root in order to take advantage of file permissions to
deny modify access.

In fact, using root draws my mind to the question of "why *root*?",
instead of "why some user:group other than the httpd process". Actually,
having the files owned by root is bad, because you have to be root to
modify them yourself, when you could just as easily "su - someuser", and
then not be sitting there at a shell prompt with superuser privs.

jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5