Date: Thu, 23 Oct 1997 23:22:51 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Bernie Doehner <bad@uhf.wireless.net> Cc: "Scot W. Hetzel" <hetzels@aol.com>, FreeBSD Ports <ports@FreeBSD.ORG> Subject: Re: Apache w/FrontPage Module Port (fwd) Message-ID: <Pine.BSF.3.95.971023232108.11617O-100000@alive.znep.com>
next in thread | raw e-mail | index | archive | help
On Fri, 24 Oct 1997, Bernie Doehner wrote: > > It is not acceptable for the vast majority of sites. Unless I > > misunderstand what is being suggested, I would strongly oppose such a port > > ever being included in the FreeBSD ports collection and suspect I would be > > well supported in this view. Nothing prevents people from setting up > > their own server for special circumstances. Defaults must not be made > > insecure because of it. > > In that case (if we are throwing configurability out the window and going > for a basic / securely installed server server), how about also keeping > CGI and frontpage extensions out of the "default"? > > After all, front page extensions/CGI is not a critical part > of the web server and not needed for a very basic/secure ports based > collection. Like you said, people can set up their own servers for special > circumstances. Our organization does not consider front page extensions > or CGI (with the exception of a numbers CGI) a necessity for a functioning > server. Someone is saying they want to make a package of Apache with the frontpage extensions. That's fine. There are enough people who want to use them to make it worthwhile. Since that is the goal of the particular port, you have to allow it. That doesn't mean it has to have gaping security holes. > > No. Try it some day. If you own it, you can modify it unless you take > > special care like setting it immutable. In the typical setup running on > > port 80, that means you can modify a binary run by root. > > AHHH.. I see what you mean (in the "default/standard" configuration). It would make no sense to have an Apache w/FrontPage extensions port that doesn't default to port 80. You have to understand that running on a port >1024 is a special case that is not acceptable to most people. I am not saying that things should not be configurable, but if the _default_ is port 80 then the _default_ must be to do things so they are secure on port 80. For many people, running on ports >1024 isn't an option because then, if you don't have a Listen directive for every IP address on the machine (which you shouldn't, since it is wasteful in normal circumstances), anyone can steal connections that clients make to the server. [...] > In this scenario, with the web server running under the uid of the owner > of the logs directory and on a port > 1024, the uid of the owner of the > logs directory. In this scenario I don't see how the web server can obtain > root privileges because root never executed the web server program in the > first place. That is not what is being discussed. I made it clear that this is an issue when it is started by root. My guess (and I think I have some basis for this) is that a very large percent of the Apache servers fit into this catagory, and nearly every single default configuration for every packaged Apache in any operating system does. While it is possible to do it other ways, that brings up other security issues and simply is not a sensible default. You suggested that, without qualification, that config files and /usr/local/etc/apache should be owned by the user Apache runs as. This advice is simply incorrect and should not be followed; bringing up special cases after the fact does not change that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.971023232108.11617O-100000>