[security-discuss] Limiting Apache2 privileges

Fri, 2 Mar 2007 14:02:08 +0100 

On Fri, Mar 02, 2007 at 12:03:52PM +0000, Darren J Moffat wrote:
> przemolicc at poczta.fm wrote:
> >bash-3.00# uname -a
> 
> >start/privileges astring 
> >basic,!proc_session,!proc_info,!file_link_any,net_privaddr
> 
> That looks okay.
> 
> >bash-3.00# svcadm enable apache2
> >bash-3.00# svcs -x
> 
> Did you at any time do an 'svcadm refresh apache2' ?

A few times. But don't remember the exact order.
Basically I was following the order from
http://www.sun.com/software/solaris/howtoguides/s10securityhowto.jsp#5

> [...]
> 
> Looks like you aren't getting enough info there.
> 
> I couple of things to look at.
> 
> By default the PidFile I believe goes into /var/run/apache2, the method 
> script attempts to create that directory but that will fail because 
> /var/run is writable only by root.
> 
> My recommendation is to update the httpd.conf and put the PidFile 
> somewhere that webservd can write to.
> 
> That might help.

I have already done that:
bash-3.00# grep PidFile /etc/apache2/httpd.conf
# PidFile: The file in which the server should record its process
#PidFile /var/run/apache2/httpd.pid
PidFile /var/apache2/run/httpd.pid
bash-3.00# ls -al /var/apache2/
total 26
drwxr-xr-x  10 webservd webservd     512 Mar  2 10:45 .
drwxr-xr-x  42 root     sys         1024 Jan  9 13:02 ..
drwxr-xr-x   2 webservd webservd     512 Dec  8 09:47 build
drwxr-xr-x   2 webservd webservd     512 Dec  8 09:47 cgi-bin
drwxr-xr-x   3 webservd webservd    1024 Dec  8 09:47 error
drwxr-xr-x   2 webservd webservd    1024 Dec 18 10:02 htdocs
drwxr-xr-x   3 webservd webservd    3584 Nov 13 13:46 icons
drwxr-xr-x   2 webservd webservd     512 Mar  2 13:37 logs
drwxr-xr-x   2 webservd webservd     512 Sep  4 13:01 proxy
drwxr-xr-x   2 webservd webservd     512 Mar  2 13:40 run

> Failing that try using the privdebug tool and reading the blueprint on 
> privilege debuging.

I have added the following line to /etc/user_attr

bash-3.00# grep webservd /etc/user_attr 
webservd::::type=normal;defaultpriv=basic,net_privaddr

and it works now. But when I remove the line it still works (surprise !)
Is missing 'svcadm refresh apache2' suspected of the problem ?

przemol

----------------------------------------------------------------------
Oficjalne konto pocztowe europejskich internautow! 
>>> http://link.interia.pl/f19e8

Reply via email to