Re: vi stealing SYSTEM-owned permissions and ownership

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Andrey Repin <anrdaemon@yandex.ru>
To: "Brian S. Wilson" <wilson@ds.net>, cygwin@cygwin.com
Subject: Re: vi stealing SYSTEM-owned permissions and ownership
Date: Sat, 02 Nov 2013 18:42:00 -0000	[thread overview]
Message-ID: <1709690551.20131102214706@mtu-net.ru> (raw)
In-Reply-To: <D7F32E9AFFD647458EB73E4ECBC03F3E@NCC1701>

Greetings, Brian S. Wilson!

>> I'm a Linux teacher at a school for vocational education in the Netherlands.
>> I use Cyqwin to help my students overcome their fear of the command line by
>> showing them their Windows systems through the eyes of Linux.
> ...
>> After a chgrp and chmod on the entire Apache folder, the "conf" directory
>> looks like this: 
>>
>> drwxrwx---+ 1 SYSTEM apache     0 28 okt 20:43 .
>> drwxrwx---+ 1 SYSTEM apache     0  2 nov 13:10 ..
>> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
>> -rwxrwx---+ 1 SYSTEM apache 34770  7 okt 23:29 httpd.default.conf
>> -rwxrwx---+ 1 SYSTEM apache 13340  3 okt 07:59 magic
>> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov  2004 magic.default
>> -rwxrwx---+ 1 SYSTEM apache 54599  3 okt 07:59 mime.types
>> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt  2012 mime.types.default
>> -rwxrwx---+ 1 SYSTEM apache  9390  5 feb  2013 openssl.cnf
>> -rwxrwx---+ 1 SYSTEM apache 11050  3 okt 07:59 ssl.conf
>> -rwxrwx---+ 1 SYSTEM apache 11030  7 okt 23:29 ssl.default.conf
>> 
>>My students can now administer Apache without running Cygwin "As
> administrator".

> Your statement may not be quite accurate.  The Cygwin Apache instance
> appears to be running as the "SYSTEM" user since that is the file owner, but
> your students can administer the files because they are members of the
> "apache" group.  I can't really tell which user id is running your Apache
> process because I don't know how you are actually starting the Apache
> process.  Most production Apache instances do not run as the "root" user
> since this is a security risk.

> If my guess about the Apache process owner is correct, please make your
> students aware that if someone hacks their Cygwin Apache servers, the hacker
> may gain the same user access rights as the user id actually running the
> Apache process.  The Apache process owner would normally be a unique user
> account with no login or access privileges to protect the server from
> successful attacks (just because your Apache files are owned by "SYSTEM",
> Apache could be started under another, less privileged, user id for better
> protection; but it is common practice to have the file owner also be the
> user id that normally executes the file).  It is common to see a "nobody"
> user as the owner of Apache in production systems.

> I've spent some time over several years trying to figure out how to get
> Apache working as a "nobody" user under Cygwin.  I've never succeeded in
> getting it to work properly, and my comments to this board have not yielded
> an answered.  I don't think it is possible to make Apache work this way
> under Cygwin, but your students should be made aware of this difference.

> If anyone is aware of how to get Apache working using a restricted "nobody"
> user id under Cygwin, please respond (or start a new thread).

I can't imagine alot of reasons to not use native Windows Apache server, which
is much better adapted for running in Windows security environment.


--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 02.11.2013, <21:44>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next prev parent reply	other threads:[~2013-11-02 18:42 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-02 12:55 D. Boland
2013-11-02 13:36 ` Brian S. Wilson
2013-11-02 18:42   ` Andrey Repin [this message]
2013-11-02 21:58   ` D. Boland
2013-11-02 22:35     ` Andrey Repin
2013-11-03 18:47       ` D. Boland
2013-11-03 22:05         ` Andrey Repin
2013-11-04 11:23         ` Brian S. Wilson
2013-11-04 14:54           ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-04 17:05             ` Larry Hall (Cygwin)
2013-11-05  5:54 ` D. Boland
2013-11-05 17:38   ` Achim Gratz
2013-11-08 14:25     ` D. Boland
2013-11-08 15:59       ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-08 20:20       ` Andrey Repin
2013-11-27 18:11   ` D. Boland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1709690551.20131102214706@mtu-net.ru \
    --to=anrdaemon@yandex.ru \
    --cc=cygwin@cygwin.com \
    --cc=wilson@ds.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).