Date: Wed, 18 Nov 1998 18:09:17 +0100 (MET) From: Per Kristian Hove <perhov@phys.ntnu.no> To: freebsd-security@FreeBSD.ORG Subject: pkhttpd (Was: Would this make FreeBSD more secure?) Message-ID: <Pine.GSO.3.96.981118173434.7124H-100000@huset.math.ntnu.no> In-Reply-To: <v0401170fb2779962d724@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 17 Nov 1998, Garance A Drosihn wrote: > Seems to me the performance implications for web serving is > not very attractive. In my case I just go with a minimalist > web server (not apache, I think the name is just "thtppd") > to reduce the security exposure. (well, it reduces the > feature set too, of course, but I don't need the missing > features). or pkhttpd:-) You can find it at ftp://ftp.pnet.no/pub/unix/pkhttpd/1.5/ pkhttpd is a minimalist (compiled binary: 12KB) web server intended to be run from inetd (or djb's tcpserver). It was written for the PicoBSD project, as the minimalist web server they already had, has a very restrictive license. I (being the author) am of course biased, and would claim that it is fairly secure, but as I'm not a security programmer (just security-concerned), I could need some help. Is someone on this mailing list interested in helping? All you have to do is read through the ~250 lines of code and see if you find any weaknesses (I'm sure you will) or holes. Both I and the PicoBSD project would be very thankful. As for its features: - It handles 'GET' and 'HEAD' requests and does cgi. - It logs the date, IP-address and name of requested file of every connection. - When run as root, it runs in a chroot()'ed environment. It runs cgi programs with the user-id of the owner of the program (and never as root). - When run as an ordinary user, it runs in a subdirectory of the user's home. Your other files should be relatively safe, since it - doesn't allow '..' in file names/cgi programs. -- per kristian <perhov@phys.ntnu.no> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.3.96.981118173434.7124H-100000>