[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Apache running as root . . . .
- Subject: Re: [cobalt-security] Apache running as root . . . .
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sat, 9 Feb 2002 01:48:04 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Fragga,
> has anyone got any linkage regarding the apache running as root
> issue with the cobalts. I`ve read an old bugtraq thread regardng it
> however that relates to Raq 3. has anything been built into the RAQ 4`s
> for increased security regarding this flaw. A quick ps -aux on my raq 4
> still shows root to be running the show.
On a RaQ3 and RaQ4 there are two separate instances of Apache running. One
for the Cobalt GUI (listening on port 81 and optionally port 444 tcp) and the
regular Apache (listening in port 80 and optionally port 443 tcp).
The Apache for the GUI runs with "root" rights ... otherwise it would be
unable to modify the servers configuration files.
The regular Apache runs as unprivileged user "httpd" - except for the master
process, which runs as "root" and forks the unprivileged Apache instances
dynamically.
> any suggestions / discussions / solutions ;) woudl be appreciated . . .
You see ... I'm one of the security concerned (or paranoid) people on this
list (just one among many) and I have no objections to tweak my personal RaQ
to the limits to make it more secure. I don't want to sound cynical, but
basically the solution would boil down to "take it or leave it". :o/
Running the GUI as root is a must with the given architecture as
anything else is asking for a complete redesign of the administration
interface. Sure, you could disable the GUI, but then all you've got is an
(hardware wise) redicularly outdated server which still has tons of design
flaws (software wise) and no easy ways of administrations for the
point-and-click community, which the machine was designed for.
The only thumbs up I can give in that regards is the following: Even though
the Admin GUI runs as user "root" I haven't heard that it has been
sucessfully exploited in any way - so far. Which is a tribute to the
Perl-programmers behind the GUI - no doubt. The Apache GUI has been running
as root since ... 1997 with the introduction of the RaQs - if I'm not
mistaken.
There are other issues with the Cobalts which most/many/nobody (your mileage
might vary) could find more worrying. For instance that any FTP user can
wander outside his own directories and sniff around on almost the entire
machine. So there are no chrooted and sandboxed home directories and/or
services. Heck, even Bind-8 was running as user root for years, until a long
overdue official patch fixed it. Furthermore the permissions of certain files
and folders look like they've been designed in Redmond <shudder>.
So security wise you should look at the RaQs as and take 'em as a RedHat 6.2
with lots of patches to plug most of the holes which popped up in recent
years. But the training wheels are still attached and all the known hickups
of it are still right where they were back then.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer