[FUG-BR] Apache

FreeBSD® Hack freebsd em vserver.com.br
Qui Jan 27 16:14:41 BRST 2005


Daniel Itaborai wrote:

>vc nao consegue fazer o suexec rodar como root ... leia as restricoes
>na documentacao do apache ... sao muitas
> 
>Daniel Lemos Itaborai
>
>FreeBSD® Hack <freebsd em vserver.com.br> wrote:
>Tiago Ghisi wrote:
>
>  
>
>>Preciso roda uma aplicacao via apache, sendo que ela tem que se
>>executada via super usuario, existe maneira de roda o apache como
>>root, ou algum script, e qual seria o script pode ser em php, nao sei,
>>para que o usuario que estiver rodando o apache virar super usuario?
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________________________
>>Para enviar um novo email para a lista: freebsd em fug.com.br
>>Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
>>Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>>
>>    
>>
>Isto deve resolver:
>
>
>Use the --enable-suexec option to enable the suEXEC feature by building
>and installing the "suexec" support program. Use --suexec-caller=UID to
>set the allowed caller user id, --suexec-userdir=DIR to set the user 
>subdirectory, --suexec-docroot=DIR to set the suexec root directory,
>--suexec-uidmin=UID/--suexec-gidmin=GID to set the minimal allowed
>UID/GID, --suexec-logfile=FILE to set the logfile and
>--suexec-safepath=PATH to set the safe shell PATH for the suEXEC
>feature. At least one --suexec-xxxxx option has to be provided together
>with the --enable-suexec option to let APACI accept your request for
>using the suEXEC feature.
>
>CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE HIGHLY RECOMMEND 
>YOU TO
>FIRST READ THE DOCUMENT htdocs/manual/suexec.html BEFORE USING
>THE ABOVE OPTIONS.
>
>USING THE SUEXEC FEATURE PROPERLY CAN REDUCE CONSIDERABLY THE
>SECURITY RISKS INVOLVED WITH ALLOWING USERS TO DEVELOP AND RUN
>PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS IMPROPERLY
>CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND POSSIBLY
>CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU 
>AREN'T 
>FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY 
>ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU NOT CONSIDER
>USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!
>
>
>_______________________________________________________________
>Para enviar um novo email para a lista: freebsd em fug.com.br
>Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
>Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>
>		
>---------------------------------
>Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador do Yahoo! agora.
>_______________________________________________________________
>Para enviar um novo email para a lista: freebsd em fug.com.br
>Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
>Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
>
>
>
>  
>
Faz o seguinte:

(CHANGES do APACHE)
  
  *) SECURITY: Apache will refuse to run as "User root" unless
     BIG_SECURITY_HOLE is defined at compile time.  [Dean Gaudet]
--------------------

Compila o apache com o DEFINE: BIG_SECURITY_HOLE e seta o UID dele para root
ai roda..

veja: Server version: Apache/1.3.31 (Unix)
Server built:   Sep 19 2003 13:50:23
Server's Module Magic Number: 19990320:10
Server compiled with....
 -D EAPI
 -D BIG_SECURITY_HOLE
 -D HAVE_MMAP
 -D USE_MMAP_SCOREBOARD
 -D USE_MMAP_FILES
 -D USE_FLOCK_SERIALIZED_ACCEPT
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D HTTPD_ROOT="/usr/local/intranet/apache"
 -D SUEXEC_BIN="/usr/local/intranet/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="logs/httpd.lock"
 -D DEFAULT_XFERLOG="/usr/local/intranet/log/httpd/access_log"
 -D DEFAULT_ERRORLOG="/usr/local/intranet/log/httpd/error_log"
 -D TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
 -D ACCESS_CONFIG_FILE="conf/access.conf"
 -D RESOURCE_CONFIG_FILE="conf/srm.conf"

Este é meu servidor da Intranet rodando como ROOT!

parte do HTTPD_CORE.C

"#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
    if (cmd->server->server_uid == 0) {
        fprintf(stderr,
                "Error:\tApache has not been designed to serve pages 
while\n"
                "\trunning as root.  There are known race conditions that\n"
                "\twill allow any local user to read any file on the 
system.\n"
                "\tIf you still desire to serve pages as root then\n"
                "\tadd -DBIG_SECURITY_HOLE to the EXTRA_CFLAGS line in 
your\n"
                "\tsrc/Configuration file and rebuild the server.  It is\n"
                "\tstrongly suggested that you instead modify the User\n"
                "\tdirective in your httpd.conf file to list a non-root\n"
                "\tuser.\n");
        exit (1);
    }
#endif

"

resumindo...

./configure -DBIG_SECURITY_HOLE --server-uid=root --server-gid=wheel bla 
bla bla bala... suas configurações!

Boas brincadeiras ai!

ps: documentação do apache é o que não falta mesmo!



_______________________________________________________________
Para enviar um novo email para a lista: freebsd em fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/




Mais detalhes sobre a lista de discussão freebsd