On Thursday 05 July 2001 05:11 am, Raptor wrote: > What do you exactly intend with "minor impact"? A user with the uid of the > webserver can at least kill the webserver itself... This should definitely > be an issue for a web hosting provider. <? system("killall -9 httpd"); ?> Not completely true. Apache's master process still runs as root, someone with access as the web user could kill the child processes which are passed new requests, but they would be restarted. The more insidous problem with using PHP (module) on an Apache setup is that any user can access the scripts of any other user account. The web server user needs reads access to every file to serve it, the Apache process runs every user's code under the same account (unless its compiled as a CGI and suexec is setup, but that causes its own problems), allowing someone to go through the database of a ecom company hosted on the same server quite easily. I have seen cases where an attacker would purchase an account (via stolen CC of course) on the server of their target, then use the "nobody" account to access all of their data (or simply spawn a shell, break root, and really own them). I wonder if VirtualHost based user/group directives would keep this from happening, does anyone on the list know of a way to protect against this? -HD
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 21:54:29 PDT