Hi Fragga, > has anyone got any linkage regarding the apache running as root > issue with the cobalts. I`ve read an old bugtraq thread regardng it > however that relates to Raq 3. has anything been built into the RAQ 4`s > for increased security regarding this flaw. A quick ps -aux on my raq 4 > still shows root to be running the show.
On a RaQ3 and RaQ4 there are two separate instances of Apache running. One for the Cobalt GUI (listening on port 81 and optionally port 444 tcp) and the regular Apache (listening in port 80 and optionally port 443 tcp). The Apache for the GUI runs with "root" rights ... otherwise it would be unable to modify the servers configuration files. The regular Apache runs as unprivileged user "httpd" - except for the master process, which runs as "root" and forks the unprivileged Apache instances dynamically. > any suggestions / discussions / solutions ;) woudl be appreciated . . . You see ... I'm one of the security concerned (or paranoid) people on this list (just one among many) and I have no objections to tweak my personal RaQ to the limits to make it more secure. I don't want to sound cynical, but basically the solution would boil down to "take it or leave it". :o/ Running the GUI as root is a must with the given architecture as anything else is asking for a complete redesign of the administration interface. Sure, you could disable the GUI, but then all you've got is an (hardware wise) redicularly outdated server which still has tons of design flaws (software wise) and no easy ways of administrations for the point-and-click community, which the machine was designed for. The only thumbs up I can give in that regards is the following: Even though the Admin GUI runs as user "root" I haven't heard that it has been sucessfully exploited in any way - so far. Which is a tribute to the Perl-programmers behind the GUI - no doubt. The Apache GUI has been running as root since ... 1997 with the introduction of the RaQs - if I'm not mistaken. There are other issues with the Cobalts which most/many/nobody (your mileage might vary) could find more worrying. For instance that any FTP user can wander outside his own directories and sniff around on almost the entire machine. So there are no chrooted and sandboxed home directories and/or services. Heck, even Bind-8 was running as user root for years, until a long overdue official patch fixed it. Furthermore the permissions of certain files and folders look like they've been designed in Redmond <shudder>. So security wise you should look at the RaQs as and take 'em as a RedHat 6.2 with lots of patches to plug most of the holes which popped up in recent years. But the training wheels are still attached and all the known hickups of it are still right where they were back then. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
