From owner-freebsd-security  Wed Nov 18 09:10:09 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA02130
          for freebsd-security-outgoing; Wed, 18 Nov 1998 09:10:09 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from huset.math.ntnu.no (huset.math.ntnu.no [129.241.211.212])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA02043
          for <freebsd-security@FreeBSD.ORG>; Wed, 18 Nov 1998 09:09:56 -0800 (PST)
          (envelope-from perhov@stud.math.ntnu.no)
Received: (qmail 9237 invoked by uid 29119); 18 Nov 1998 17:09:17 -0000
Date: Wed, 18 Nov 1998 18:09:17 +0100 (MET)
From: Per Kristian Hove <perhov@phys.ntnu.no>
X-Sender: perhov@huset.math.ntnu.no
To: freebsd-security@FreeBSD.ORG
Subject: pkhttpd (Was: Would this make FreeBSD more secure?)
In-Reply-To: <v0401170fb2779962d724@[128.113.24.47]>
Message-ID: <Pine.GSO.3.96.981118173434.7124H-100000@huset.math.ntnu.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 17 Nov 1998, Garance A Drosihn wrote:

 > Seems to me the performance implications for web serving is
 > not very attractive.  In my case I just go with a minimalist
 > web server (not apache, I think the name is just "thtppd")
 > to reduce the security exposure.  (well, it reduces the
 > feature set too, of course, but I don't need the missing
 > features).

or pkhttpd:-) You can find it at ftp://ftp.pnet.no/pub/unix/pkhttpd/1.5/

pkhttpd is a minimalist (compiled binary: 12KB) web server intended to be
run from inetd (or djb's tcpserver). It was written for the PicoBSD
project, as the minimalist web server they already had, has a very
restrictive license. I (being the author) am of course biased, and would
claim that it is fairly secure, but as I'm not a security programmer (just
security-concerned), I could need some help. Is someone on this mailing
list interested in helping? All you have to do is read through the ~250
lines of code and see if you find any weaknesses (I'm sure you will) or
holes. Both I and the PicoBSD project would be very thankful.

As for its features:
- It handles 'GET' and 'HEAD' requests and does cgi.
- It logs the date, IP-address and name of requested file of every
  connection.
- When run as root, it runs in a chroot()'ed environment. It runs
  cgi programs with the user-id of the owner of the program (and never as
  root).
- When run as an ordinary user, it runs in a subdirectory of the user's
  home. Your other files should be relatively safe, since it
- doesn't allow '..' in file names/cgi programs.


-- 
per kristian                                       <perhov@phys.ntnu.no>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message