Date: Wed, 18 Nov 1998 10:20:33 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: Per Kristian Hove <perhov@phys.ntnu.no> Cc: freebsd-security@FreeBSD.ORG Subject: Re: pkhttpd (Was: Would this make FreeBSD more secure?) Message-ID: <Pine.BSF.4.05.9811181007500.19474-100000@alive.znep.com> In-Reply-To: <Pine.GSO.3.96.981118173434.7124H-100000@huset.math.ntnu.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Nov 1998, Per Kristian Hove wrote: > On Tue, 17 Nov 1998, Garance A Drosihn wrote: > > > Seems to me the performance implications for web serving is > > not very attractive. In my case I just go with a minimalist > > web server (not apache, I think the name is just "thtppd") > > to reduce the security exposure. (well, it reduces the > > feature set too, of course, but I don't need the missing > > features). > > or pkhttpd:-) You can find it at ftp://ftp.pnet.no/pub/unix/pkhttpd/1.5/ > > pkhttpd is a minimalist (compiled binary: 12KB) web server intended to be > run from inetd (or djb's tcpserver). It was written for the PicoBSD > project, as the minimalist web server they already had, has a very > restrictive license. I (being the author) am of course biased, and would > claim that it is fairly secure, but as I'm not a security programmer (just > security-concerned), I could need some help. Is someone on this mailing > list interested in helping? All you have to do is read through the ~250 > lines of code and see if you find any weaknesses (I'm sure you will) or > holes. Both I and the PicoBSD project would be very thankful. "minimalist" is fine, but it would be a mistake to call this a web server. It really isn't any sort of general solution to the problem presented (ie. starting from inetd sucks because it is far too expensive). thttpd is ok in that it mostly complies to HTTP standards and actually acts like a web server, it is just light on features which, if you don't need them, no big deal. pkhttpd may be fine if you are only interested in something that will often appear close enough to a web server so clients can often understand it for a very restricted set of content. It doesn't read the full request headers, it doesn't output error messages properly (outputs two sets of headers for a 404), it prints random memory locations for unknown MIME types, it doesn't support HEAD properly (doesn't terminate the headers with a blank line), etc. > > As for its features: > - It handles 'GET' and 'HEAD' requests and does cgi. No, it doesn't. It doesn't do CGI (CGI is an interface that is defined, it isn't just running whatever program you want), and it doesn't support even HTTP/1.0. You will face a very real problem with lost responses if anyone ever sends headers in multiple packets, which some systems do a lot. > - It logs the date, IP-address and name of requested file of every > connection. > - When run as root, it runs in a chroot()'ed environment. It runs > cgi programs with the user-id of the owner of the program (and never as > root). ie. on a system where someone can give away ownership of a files, this lets them execute programs as an arbitrary UID. > - When run as an ordinary user, it runs in a subdirectory of the user's > home. Your other files should be relatively safe, since it > - doesn't allow '..' in file names/cgi programs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9811181007500.19474-100000>