From: Andrey Repin <anrdaemon@yandex.ru>
To: "Brian S. Wilson" <wilson@ds.net>, cygwin@cygwin.com
Subject: Re: vi stealing SYSTEM-owned permissions and ownership
Date: Sat, 02 Nov 2013 18:42:00 -0000 [thread overview]
Message-ID: <1709690551.20131102214706@mtu-net.ru> (raw)
In-Reply-To: <D7F32E9AFFD647458EB73E4ECBC03F3E@NCC1701>
Greetings, Brian S. Wilson!
>> I'm a Linux teacher at a school for vocational education in the Netherlands.
>> I use Cyqwin to help my students overcome their fear of the command line by
>> showing them their Windows systems through the eyes of Linux.
> ...
>> After a chgrp and chmod on the entire Apache folder, the "conf" directory
>> looks like this:
>>
>> drwxrwx---+ 1 SYSTEM apache 0 28 okt 20:43 .
>> drwxrwx---+ 1 SYSTEM apache 0 2 nov 13:10 ..
>> -rwxrwx---+ 1 SYSTEM apache 35142 26 okt 18:07 httpd.conf
>> -rwxrwx---+ 1 SYSTEM apache 34770 7 okt 23:29 httpd.default.conf
>> -rwxrwx---+ 1 SYSTEM apache 13340 3 okt 07:59 magic
>> -rwxrwx---+ 1 SYSTEM apache 13340 21 nov 2004 magic.default
>> -rwxrwx---+ 1 SYSTEM apache 54599 3 okt 07:59 mime.types
>> -rwxrwx---+ 1 SYSTEM apache 54599 17 mrt 2012 mime.types.default
>> -rwxrwx---+ 1 SYSTEM apache 9390 5 feb 2013 openssl.cnf
>> -rwxrwx---+ 1 SYSTEM apache 11050 3 okt 07:59 ssl.conf
>> -rwxrwx---+ 1 SYSTEM apache 11030 7 okt 23:29 ssl.default.conf
>>
>>My students can now administer Apache without running Cygwin "As
> administrator".
> Your statement may not be quite accurate. The Cygwin Apache instance
> appears to be running as the "SYSTEM" user since that is the file owner, but
> your students can administer the files because they are members of the
> "apache" group. I can't really tell which user id is running your Apache
> process because I don't know how you are actually starting the Apache
> process. Most production Apache instances do not run as the "root" user
> since this is a security risk.
> If my guess about the Apache process owner is correct, please make your
> students aware that if someone hacks their Cygwin Apache servers, the hacker
> may gain the same user access rights as the user id actually running the
> Apache process. The Apache process owner would normally be a unique user
> account with no login or access privileges to protect the server from
> successful attacks (just because your Apache files are owned by "SYSTEM",
> Apache could be started under another, less privileged, user id for better
> protection; but it is common practice to have the file owner also be the
> user id that normally executes the file). It is common to see a "nobody"
> user as the owner of Apache in production systems.
> I've spent some time over several years trying to figure out how to get
> Apache working as a "nobody" user under Cygwin. I've never succeeded in
> getting it to work properly, and my comments to this board have not yielded
> an answered. I don't think it is possible to make Apache work this way
> under Cygwin, but your students should be made aware of this difference.
> If anyone is aware of how to get Apache working using a restricted "nobody"
> user id under Cygwin, please respond (or start a new thread).
I can't imagine alot of reasons to not use native Windows Apache server, which
is much better adapted for running in Windows security environment.
--
WBR,
Andrey Repin (anrdaemon@yandex.ru) 02.11.2013, <21:44>
Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2013-11-02 18:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-02 12:55 D. Boland
2013-11-02 13:36 ` Brian S. Wilson
2013-11-02 18:42 ` Andrey Repin [this message]
2013-11-02 21:58 ` D. Boland
2013-11-02 22:35 ` Andrey Repin
2013-11-03 18:47 ` D. Boland
2013-11-03 22:05 ` Andrey Repin
2013-11-04 11:23 ` Brian S. Wilson
2013-11-04 14:54 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-04 17:05 ` Larry Hall (Cygwin)
2013-11-05 5:54 ` D. Boland
2013-11-05 17:38 ` Achim Gratz
2013-11-08 14:25 ` D. Boland
2013-11-08 15:59 ` Lavrentiev, Anton (NIH/NLM/NCBI) [C]
2013-11-08 20:20 ` Andrey Repin
2013-11-27 18:11 ` D. Boland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1709690551.20131102214706@mtu-net.ru \
--to=anrdaemon@yandex.ru \
--cc=cygwin@cygwin.com \
--cc=wilson@ds.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).