This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: vi stealing SYSTEM-owned permissions and ownership
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: "Brian S. Wilson" <wilson at ds dot net>, cygwin at cygwin dot com
- Date: Sat, 2 Nov 2013 21:47:06 +0400
- Subject: Re: vi stealing SYSTEM-owned permissions and ownership
- Authentication-results: sourceware.org; auth=none
- References: <5274F396 dot A133C4CE at boland dot nl> <D7F32E9AFFD647458EB73E4ECBC03F3E at NCC1701>
- Reply-to: Andrey Repin <cygwin at cygwin dot com>
Greetings, Brian S. Wilson!
>> I'm a Linux teacher at a school for vocational education in the Netherlands.
>> I use Cyqwin to help my students overcome their fear of the command line by
>> showing them their Windows systems through the eyes of Linux.
> ...
>> After a chgrp and chmod on the entire Apache folder, the "conf" directory
>> looks like this:
>>
>> drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 .
>> drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 ..
>> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
>> -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf
>> -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic
>> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default
>> -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types
>> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default
>> -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf
>> -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf
>> -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf
>>
>>My students can now administer Apache without running Cygwin "As
> administrator".
> Your statement may not be quite accurate. The Cygwin Apache instance
> appears to be running as the "SYSTEM" user since that is the file owner, but
> your students can administer the files because they are members of the
> "apache" group. I can't really tell which user id is running your Apache
> process because I don't know how you are actually starting the Apache
> process. Most production Apache instances do not run as the "root" user
> since this is a security risk.
> If my guess about the Apache process owner is correct, please make your
> students aware that if someone hacks their Cygwin Apache servers, the hacker
> may gain the same user access rights as the user id actually running the
> Apache process. The Apache process owner would normally be a unique user
> account with no login or access privileges to protect the server from
> successful attacks (just because your Apache files are owned by "SYSTEM",
> Apache could be started under another, less privileged, user id for better
> protection; but it is common practice to have the file owner also be the
> user id that normally executes the file). It is common to see a "nobody"
> user as the owner of Apache in production systems.
> I've spent some time over several years trying to figure out how to get
> Apache working as a "nobody" user under Cygwin. I've never succeeded in
> getting it to work properly, and my comments to this board have not yielded
> an answered. I don't think it is possible to make Apache work this way
> under Cygwin, but your students should be made aware of this difference.
> If anyone is aware of how to get Apache working using a restricted "nobody"
> user id under Cygwin, please respond (or start a new thread).
I can't imagine alot of reasons to not use native Windows Apache server, which
is much better adapted for running in Windows security environment.
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 02.11.2013, <21:44>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple