From: "Darryl Ross" <[EMAIL PROTECTED]>
>
> Wouldn't it be possible to create the log files with the username and
group
> of the user that Apache is going to be running as before starting it up?
> That way they will be owned by a non-root user and the ownership wouldn't
> change??
>
> Just my thoughts
>
> Darryl
>
That's not the problem - the problem is the files are opened as root. This
can be used to overwrite protected system files. So, for example, I can edit
httpd.conf and add:
LogFormat "root:nsSE4364:0:0::/root:/bin/bash" haxor
CustomLog /etc/passwd haxor
To create myself a new root user (or at least mangle the passwd file).
This is possible when 1) Apache is started as root (nevermind the setting of
the User directive), and 2) I have access to httpd.conf. Since in a VSD we
want the admin user to be able to edit httpd.conf, then we have to not start
Apache as root (preferably we should start it as admin). But then we have
the problem of how to make it bind to port 80.
