This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: vi stealing SYSTEM-owned permissions and ownership


Greetings, Brian S. Wilson!

>> I'm a Linux teacher at a school for vocational education in the Netherlands.
>> I use Cyqwin to help my students overcome their fear of the command line by
>> showing them their Windows systems through the eyes of Linux.
> ...
>> After a chgrp and chmod on the entire Apache folder, the "conf" directory
>> looks like this: 
>>
>> drwxrwx---+ 1 SYSTEM apache     0 28 okt 20:43 .
>> drwxrwx---+ 1 SYSTEM apache     0  2 nov 13:10 ..
>> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
>> -rwxrwx---+ 1 SYSTEM apache 34770  7 okt 23:29 httpd.default.conf
>> -rwxrwx---+ 1 SYSTEM apache 13340  3 okt 07:59 magic
>> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov  2004 magic.default
>> -rwxrwx---+ 1 SYSTEM apache 54599  3 okt 07:59 mime.types
>> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt  2012 mime.types.default
>> -rwxrwx---+ 1 SYSTEM apache  9390  5 feb  2013 openssl.cnf
>> -rwxrwx---+ 1 SYSTEM apache 11050  3 okt 07:59 ssl.conf
>> -rwxrwx---+ 1 SYSTEM apache 11030  7 okt 23:29 ssl.default.conf
>> 
>>My students can now administer Apache without running Cygwin "As
> administrator".

> Your statement may not be quite accurate.  The Cygwin Apache instance
> appears to be running as the "SYSTEM" user since that is the file owner, but
> your students can administer the files because they are members of the
> "apache" group.  I can't really tell which user id is running your Apache
> process because I don't know how you are actually starting the Apache
> process.  Most production Apache instances do not run as the "root" user
> since this is a security risk.

> If my guess about the Apache process owner is correct, please make your
> students aware that if someone hacks their Cygwin Apache servers, the hacker
> may gain the same user access rights as the user id actually running the
> Apache process.  The Apache process owner would normally be a unique user
> account with no login or access privileges to protect the server from
> successful attacks (just because your Apache files are owned by "SYSTEM",
> Apache could be started under another, less privileged, user id for better
> protection; but it is common practice to have the file owner also be the
> user id that normally executes the file).  It is common to see a "nobody"
> user as the owner of Apache in production systems.

> I've spent some time over several years trying to figure out how to get
> Apache working as a "nobody" user under Cygwin.  I've never succeeded in
> getting it to work properly, and my comments to this board have not yielded
> an answered.  I don't think it is possible to make Apache work this way
> under Cygwin, but your students should be made aware of this difference.

> If anyone is aware of how to get Apache working using a restricted "nobody"
> user id under Cygwin, please respond (or start a new thread).

I can't imagine alot of reasons to not use native Windows Apache server, which
is much better adapted for running in Windows security environment.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 02.11.2013, <21:44>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]