From owner-freebsd-isp  Fri Mar 22 17:51:13 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from picard.dyn.newmillennium.net.au (max038.apex.net.au [203.30.99.167])
	by hub.freebsd.org (Postfix) with ESMTP id B971F37B404
	for <freebsd-isp@freebsd.org>; Fri, 22 Mar 2002 17:51:04 -0800 (PST)
Received: (from root@localhost)
	by picard.dyn.newmillennium.net.au (8.11.6/8.11.4) id g2N1pMU03225
	for freebsd-isp@freebsd.org; Sat, 23 Mar 2002 12:51:22 +1100 (EST)
	(envelope-from deece@newmillennium.net.au)
Received: from riker (riker.internal [192.168.0.50])
	by picard.dyn.newmillennium.net.au (8.11.6/8.9.3) with ESMTP id g2N1pLv03137;
	Sat, 23 Mar 2002 12:51:21 +1100 (EST)
From: "Alastair D'Silva" <deece@newmillennium.net.au>
To: "'Dave'" <dave@hawk-systems.com>, <freebsd-isp@freebsd.org>
Subject: RE: Questions about Apache
Date: Sat, 23 Mar 2002 12:50:37 +1100
Organization: New Millennium Networking
Message-ID: <002901c1d20d$212cb370$3200a8c0@riker>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
In-Reply-To: <DBEIKNMKGOBGNDHAAKGNCEKJNGAA.dave@hawk-systems.com>
X-scanner: scanned by Inflex 0.1.5c - (http://www.inflex.co.za/)
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

> The recommendation being to have the keys readable only by 
> root(chmod 600), then you can start apache via root, then 
> direct apache via the conf file to run as user www (or 
> whatever)...  starting as root allows it to read the key 
> (which is readable only by root), and apache runs all 
> requests as the user specified in the conf file.  Given your 
> buffer overflow, they would logically inherit the permission 
> of the web server (www, apache, nobody...) and not be able to 
> view the directory or key files at all, nor any other files 
> on the server if you are set up correctly, far better setup 
> than having a file readable by the web server user.
> 

By your same argument, if Apache is started as root (then changes to
another user), and the script is only executable by root, then the said
malicious user would not be able to execute the script.

I'm not saying you *have* to do this, but it does introduce more
complexity for the intruder to work around, which could give you the
time you need to detect the intrusion.

--
Alastair D'Silva B. Sc.            mob: 0413 485 733
Networking Consultant
New Millennium Networking  http://www.newmillennium.net.au 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message