Re: Apache Security
From: Julia Thorne (rimbaldi_at_nospam.tld)
Date: 03/02/05
- Previous message: Gareth Bromley: "Re: Apache Security"
- In reply to: zestyone: "Apache Security"
- Next in thread: mfproroc: "Re: Apache Security"
- Reply: mfproroc: "Re: Apache Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 01 Mar 2005 23:19:13 GMT
On Tue, 01 Mar 2005 15:04:39 -0500, zestyone wrote:
> I read this article:
>
> http://builder.com.com/5100-6372-5113747.html?tag=ra
>
> and was wondering if anybody out there very seasoned in apache and
> linux security could make any comments on the suggestions this article
> is making. Any other things you would add to his suggestions?
> Anything techinically wrong with what this author is describing?
If Apache can't access anything outside the trap directory, how is
it going to serve web pages, which have to be accessible via FTP
for users to upload their webpages? How would Apache access Perl,
Rebol, PHP, and other scripting languages? How would the virtual
servers write their logfiles? How would CGI programs write to
their own directory tree?
And if the hacker breaks Apache via a buffer overflow or something
similar, it won't matter what Apache's permissions are, because
the hacker will already have access at a deeper level.
The advantage to what the author is describing (which he doesn't
cover much, in the article) is that after the hacker exploits
your old, insecure version of Apache, you can see what changes
he tried to make to the fake system, which *might* tell you how
to protect the real system better.
- Previous message: Gareth Bromley: "Re: Apache Security"
- In reply to: zestyone: "Apache Security"
- Next in thread: mfproroc: "Re: Apache Security"
- Reply: mfproroc: "Re: Apache Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
