[FUG-BR] Apache
Daniel Itaborai
itaborai83 em yahoo.com.br
Qui Jan 27 20:26:58 BRST 2005
putz ... gostei do nome "BIG_SECURITY_HOLE"
... aprendi uma coisa que nao sabia hj
hehehe
valeuz
Daniel Lemos Itaborai
--- FreeBSD® Hack <freebsd em vserver.com.br> escreveu:
> Daniel Itaborai wrote:
>
> >vc nao consegue fazer o suexec rodar como root ...
> leia as restricoes
> >na documentacao do apache ... sao muitas
> >
> >Daniel Lemos Itaborai
> >
> >FreeBSD® Hack <freebsd em vserver.com.br> wrote:
> >Tiago Ghisi wrote:
> >
> >
> >
> >>Preciso roda uma aplicacao via apache, sendo que
> ela tem que se
> >>executada via super usuario, existe maneira de
> roda o apache como
> >>root, ou algum script, e qual seria o script pode
> ser em php, nao sei,
> >>para que o usuario que estiver rodando o apache
> virar super usuario?
> >>
> >>
> >>
>
>>------------------------------------------------------------------------
> >>
>
>>_______________________________________________________________
> >>Para enviar um novo email para a lista:
> freebsd em fug.com.br
> >>Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >>Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >>
> >>
> >>
> >Isto deve resolver:
> >
> >
> >Use the --enable-suexec option to enable the suEXEC
> feature by building
> >and installing the "suexec" support program. Use
> --suexec-caller=UID to
> >set the allowed caller user id,
> --suexec-userdir=DIR to set the user
> >subdirectory, --suexec-docroot=DIR to set the
> suexec root directory,
> >--suexec-uidmin=UID/--suexec-gidmin=GID to set the
> minimal allowed
> >UID/GID, --suexec-logfile=FILE to set the logfile
> and
> >--suexec-safepath=PATH to set the safe shell PATH
> for the suEXEC
> >feature. At least one --suexec-xxxxx option has to
> be provided together
> >with the --enable-suexec option to let APACI accept
> your request for
> >using the suEXEC feature.
> >
> >CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE
> HIGHLY RECOMMEND
> >YOU TO
> >FIRST READ THE DOCUMENT htdocs/manual/suexec.html
> BEFORE USING
> >THE ABOVE OPTIONS.
> >
> >USING THE SUEXEC FEATURE PROPERLY CAN REDUCE
> CONSIDERABLY THE
> >SECURITY RISKS INVOLVED WITH ALLOWING USERS TO
> DEVELOP AND RUN
> >PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS
> IMPROPERLY
> >CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND
> POSSIBLY
> >CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF
> YOU
> >AREN'T
> >FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE
> SECURITY
> >ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU
> NOT CONSIDER
> >USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!
> >
> >
>
>_______________________________________________________________
> >Para enviar um novo email para a lista:
> freebsd em fug.com.br
> >Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >
> >
> >---------------------------------
> >Yahoo! Acesso Grátis - Internet rápida e grátis.
> Instale o discador do Yahoo! agora.
>
>_______________________________________________________________
> >Para enviar um novo email para a lista:
> freebsd em fug.com.br
> >Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >
> >
> >
> >
> >
> Faz o seguinte:
>
> (CHANGES do APACHE)
>
> *) SECURITY: Apache will refuse to run as "User
> root" unless
> BIG_SECURITY_HOLE is defined at compile time.
> [Dean Gaudet]
> --------------------
>
> Compila o apache com o DEFINE: BIG_SECURITY_HOLE e
> seta o UID dele para root
> ai roda..
>
> veja: Server version: Apache/1.3.31 (Unix)
> Server built: Sep 19 2003 13:50:23
> Server's Module Magic Number: 19990320:10
> Server compiled with....
> -D EAPI
> -D BIG_SECURITY_HOLE
> -D HAVE_MMAP
> -D USE_MMAP_SCOREBOARD
> -D USE_MMAP_FILES
> -D USE_FLOCK_SERIALIZED_ACCEPT
> -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
> -D HTTPD_ROOT="/usr/local/intranet/apache"
> -D SUEXEC_BIN="/usr/local/intranet/bin/suexec"
> -D DEFAULT_PIDLOG="logs/httpd.pid"
> -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
> -D DEFAULT_LOCKFILE="logs/httpd.lock"
> -D
>
DEFAULT_XFERLOG="/usr/local/intranet/log/httpd/access_log"
> -D
>
DEFAULT_ERRORLOG="/usr/local/intranet/log/httpd/error_log"
> -D TYPES_CONFIG_FILE="conf/mime.types"
> -D SERVER_CONFIG_FILE="conf/httpd.conf"
> -D ACCESS_CONFIG_FILE="conf/access.conf"
> -D RESOURCE_CONFIG_FILE="conf/srm.conf"
>
> Este é meu servidor da Intranet rodando como ROOT!
>
> parte do HTTPD_CORE.C
>
> "#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
> if (cmd->server->server_uid == 0) {
> fprintf(stderr,
> "Error:\tApache has not been
> designed to serve pages
> while\n"
> "\trunning as root. There are known
> race conditions that\n"
> "\twill allow any local user to read
> any file on the
> system.\n"
> "\tIf you still desire to serve
> pages as root then\n"
> "\tadd -DBIG_SECURITY_HOLE to the
> EXTRA_CFLAGS line in
> your\n"
> "\tsrc/Configuration file and
> rebuild the server. It is\n"
> "\tstrongly suggested that you
> instead modify the User\n"
> "\tdirective in your httpd.conf file
> to list a non-root\n"
> "\tuser.\n");
> exit (1);
> }
> #endif
>
> "
>
> resumindo...
>
> ./configure -DBIG_SECURITY_HOLE --server-uid=root
> --server-gid=wheel bla
> bla bla bala... suas configurações!
>
> Boas brincadeiras ai!
>
> ps: documentação do apache é o que não falta mesmo!
>
>
>
>
_______________________________________________________________
> Para enviar um novo email para a lista:
> freebsd em fug.com.br
> Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
>
__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger
http://br.download.yahoo.com/messenger/
_______________________________________________________________
Para enviar um novo email para a lista: freebsd em fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd