Simon,
Btw, what if i automate the whole process ? and the httpd.conf just is
not being edited by the admin but by a binary code (out of the chrooted VS) ?
What about if you have those perl/C programs away from your host server
and you're doing remote administration ? (i.e. customers does not have
shell access at all, only web)
Of course, you have access thru ssh to the host server to do maintenance.
The problem is not httpd being executed by root, but who might have access
to important configuration files.
Regards,
P.S.: btw, anyone had implemented anything else around VSD besides installing
software in the vs ?
> From: "Darryl Ross" <[EMAIL PROTECTED]>
>>
>> Wouldn't it be possible to create the log files with the username and
> group
>> of the user that Apache is going to be running as before starting it up?
>> That way they will be owned by a non-root user and the ownership wouldn't
>> change??
>>
>> Just my thoughts
>
> That's not the problem - the problem is the files are opened as root. This
> can be used to overwrite protected system files. So, for example, I can edit
> httpd.conf and add:
>
> LogFormat "root:nsSE4364:0:0::/root:/bin/bash" haxor
> CustomLog /etc/passwd haxor
>
> To create myself a new root user (or at least mangle the passwd file).
>
> This is possible when 1) Apache is started as root (nevermind the setting of
> the User directive), and 2) I have access to httpd.conf. Since in a VSD we
> want the admin user to be able to edit httpd.conf, then we have to not start
> Apache as root (preferably we should start it as admin). But then we have
> the problem of how to make it bind to port 80.
_______________________________________________________
Urivan Saaib
Presidente
CiberNET Mexico
Email: [EMAIL PROTECTED]
