From owner-freebsd-questions@FreeBSD.ORG Mon May 3 10:28:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1279116A4CE for ; Mon, 3 May 2004 10:28:49 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id E871F43D4C for ; Mon, 3 May 2004 10:28:48 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i43HSleg000764; Mon, 3 May 2004 10:28:47 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i43HSkhS023829; Mon, 3 May 2004 10:28:47 -0700 (PDT) In-Reply-To: <6.0.0.22.0.20040503114633.01f0be98@mail.newdiets.com> References: <200404262126.36157.mikkel@talkactive.net> <200404291406.58150.mikkel@talkactive.net> <6.0.0.22.0.20040429101444.0e68a6a0@pop.face2interface.com> <200404291713.13999.mikkel@talkactive.net> <6.0.0.22.0.20040429140657.11cf1120@pop.face2interface.com> <20040503053729.GC23559@isite.net> <6.0.0.22.0.20040503114633.01f0be98@mail.newdiets.com> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <51F09259-9D27-11D8-ADE3-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 3 May 2004 13:28:41 -0400 To: Marty Landman X-Mailer: Apple Mail (2.613) cc: FreeBSD-questions Questions Subject: Re: Suexec with Apache 1.3.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2004 17:28:49 -0000 On May 3, 2004, at 12:42 PM, Marty Landman wrote: > Maybe this is a foolish question, but how can reasonable security on a > server running Windows/Apache be achieved? I'm not convinced that Windows can be configured to offer Internet-reachable services with "reasonable security", but excluding that concern: configure Apache to run as a system service started upon boot as an untrusted user which lacks permissions to change the files under Apache's document root. > If the answer is what I fear, do you think that the 'native' MS > server, IIS can be configured more securely than Apache? A review of the security history of both web servers suggests that IIS is significantly less secure than Apache. IIS and/or SQLserver sometimes get installed and enabled by surprise when a user installs certain other M$ software, like the dev tools.... > Looking at it in another way, is it possible to have a secure, network > accessible server of any type w/o the Unix style permissions concept > in place? Certainly. Systems which do not use Unix-style permissions tend to use an access-control-list (ACL) schema instead, which some people like better, but there are other security models as well. [ This thread is drifting off-topic for a FreeBSD list. ] -- -Chuck