Mailing List Archive

Apache first process without root privileges
Hello,

Last weeks, I get rootkited cause of a awstats/cgi vulnerability.
So guys who did this make a script download a tar, uncompress and start
it which this vulnerality, and so I was unable to do ls, ps, id, env etc ...

So my question is : Is it a solution for running first apache process
without root privilege to avoid problems like I had.

Here is the current tree of apaches process :

root 11581 0.0 0.9 32760 4940 ? Ss Apr02 0:00
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11585 0.0 0.9 31008 4776 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11587 0.0 1.2 32784 6316 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11588 0.0 1.8 33560 9452 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11589 0.0 1.2 32784 6220 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11590 0.0 1.8 33508 9464 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 11591 0.0 1.2 32784 6344 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 17356 0.0 1.4 32784 7316 ? S Apr02 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart
apache 26123 0.0 1.0 32760 5448 ? S 17:08 0:00 \_
/usr/sbin/apache2 -D PHP4 -D USERDIR -D SSL -D DAV -D SVN -d
/usr/lib/apache2 -f /etc/apache2/httpd.conf -E
/var/log/apache2/startuperror.log -k restart


Thanks
Beber
--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bertrand Jacquin a écrit :

> So my question is : Is it a solution for running first apache
> process without root privilege to avoid problems like I had.

I don't think there's a way to run Apache (which opens port 80)
without root privileges, but scripts could be ran with suexec or
Apache chrooted.

Hth.

- --
Christophe Garault


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUGlDJ5Nh3YMYAQsRAtOQAJ9Nw/PS/LZsrQCoo0gb+BLOu5bMSgCfSp0G
OMFbC7Qkc1IPCM5VRuP+OXM=
=QW9V
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
Ok, I see

Many program start use root privilege, and after root depends init,
then "fork" as another user, like exim, svnserver & many other.
Why can't I do that with apache ?

How can I run apache in a chrooted environment like named ?
Is it planed by apache gentoo team to do some script like bind & dhcpd
to do that ? Or in servers apps in a general way ?

When I get rootkited, suexec was enable :/

If there is another solution than SELinux, I'm very interesting for
that, because servers run on my desktop (not a good solution, I know,
I don't have the choice)

Thanks, Beber


On Apr 4, 2005 12:08 AM, Christophe Garault <christophe@garault.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Bertrand Jacquin a écrit :
>
> > So my question is : Is it a solution for running first apache
> > process without root privilege to avoid problems like I had.
>
> I don't think there's a way to run Apache (which opens port 80)
> without root privileges, but scripts could be ran with suexec or
> Apache chrooted.
>
> Hth.
>
> - --
> Christophe Garault
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCUGlDJ5Nh3YMYAQsRAtOQAJ9Nw/PS/LZsrQCoo0gb+BLOu5bMSgCfSp0G
> OMFbC7Qkc1IPCM5VRuP+OXM=
> =QW9V
> -----END PGP SIGNATURE-----
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
Might I suggest that if you run servers on your desktop, then apache
running as root is probably the least of your worries!

from google:

http://docs.linux.com/article.pl?sid=04/05/24/1450203&tid=29&tid=14&tid=35
http://penguin.triumf.ca/chroot.html
http://www.sdn.or.id/share/Debian-Doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html
http://www.openbsd.org/faq/faq10.html
http://www.monkey.org/openbsd/archive/tech/0207/msg00158.html

and so on.. u might find something useful there..

-c

Beber [Gentoo] wrote:

>Ok, I see
>
>Many program start use root privilege, and after root depends init,
>then "fork" as another user, like exim, svnserver & many other.
>Why can't I do that with apache ?
>
>How can I run apache in a chrooted environment like named ?
>Is it planed by apache gentoo team to do some script like bind & dhcpd
>to do that ? Or in servers apps in a general way ?
>
>When I get rootkited, suexec was enable :/
>
>If there is another solution than SELinux, I'm very interesting for
>that, because servers run on my desktop (not a good solution, I know,
>I don't have the choice)
>
>Thanks, Beber
>
>
>On Apr 4, 2005 12:08 AM, Christophe Garault <christophe@garault.org> wrote:
>

> Bertrand Jacquin a écrit :
>
> >So my question is : Is it a solution for running first apache
> >process without root privilege to avoid problems like I had.
>
> I don't think there's a way to run Apache (which opens port 80)
> without root privileges, but scripts could be ran with suexec or
> Apache chrooted.
>
> Hth.
>
> --
> Christophe Garault
>

--
gentoo-security@gentoo.org mailing list



>--
>gentoo-security@gentoo.org mailing list



--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
Not that I have the solution for you, but this is the sort of thing
where SELinux comes into play - if your Apache is compromised SELinux
doesn't give root apache access to anything else on the system except
the apache dir and port 80 (policy depending of course).
-c

Christophe Garault wrote:

> Bertrand Jacquin a écrit :
>
> >So my question is : Is it a solution for running first apache
> >process without root privilege to avoid problems like I had.
>
>
> I don't think there's a way to run Apache (which opens port 80)
> without root privileges, but scripts could be ran with suexec or
> Apache chrooted.
>
> Hth.
>
> --
> Christophe Garault
>
>

--
gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
Beber [Gentoo] wrote:

> Many program start use root privilege, and after root depends init,
> then "fork" as another user, like exim, svnserver & many other.
> Why can't I do that with apache ?

Apache starts as root then drops to the "apache" (or "nobody" or
whatever you configured in conf) user. It's not running as root.

If you really got rootkit-ed you were probably also vulnerable to a
local root vulnerability that allowed the attacker to escalate from
apache to root privileges.

--
Koon
Gentoo Linux Security
--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
On Sunday 03 April 2005 23:08, Christophe Garault wrote:
> Bertrand Jacquin a écrit :
> I don't think there's a way to run Apache (which opens port 80)
> without root privileges, but scripts could be ran with suexec or
> Apache chrooted....

...short of removing the restriction on root being the only user that can bind to ports below 1024.

In this day and age, it seems like a useless feature now, and one that probably only gets in the way of programmers.
From what I understand, it was to stop users "spoofing" well known services such as SMTP, SSH, or DNS on multi user boxes.
It seems a very archaic and blunt tool for this purpose.

Calum

--

http://zapee.com - professional webhosting

--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
On Mon, 2005-04-04 at 01:17 +0200, Beber [Gentoo] wrote:

> How can I run apache in a chrooted environment like named ?
> Is it planed by apache gentoo team to do some script like bind & dhcpd
> to do that ? Or in servers apps in a general way ?

Running apache in a chroot is pretty much pointless.
If you can gain uid 0 in a chroot or vfs you can abuse the host system
still. Abusing the system like traffic sniffing hijacking other pids and
or breaking out of a standard chroot using shmat(), mknod(), chmod(),
fchdir(), iopl(), mount(), kill(), AF_UNIX sockets, sysctl() and
ptrace() is rather easy.

To handle that properly you want a form of access control.
Gentoo offers you 3 choices for access control. grsec-rbac, selinux and
rsbac. http://hardened.gentoo.org

Good luck and try to keep your servers up to date more often.
glsa-check -l | grep '\[N\]'

--
Ned Ludd <solar@gentoo.org>

--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The hidden syntax for this, which should be equivalent is:

glsa-check -t all

- --Kevin

On Mon, Apr 04, 2005 at 12:15:09PM -0400, Ned Ludd wrote:
>
> Good luck and try to keep your servers up to date more often.
> glsa-check -l | grep '\[N\]'
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCUYG36ENyPMTUmzoRAjzCAJ0WeHCeXNriTyrB4VeqsDB2p1E4xwCeKV6r
c7VdeCnn+5s2/4tcpDhqN7k=
=S+0o
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The hidden syntax for this, which should be equivalent is:

glsa-check -t all

- --Kevin

On Mon, Apr 04, 2005 at 12:15:09PM -0400, Ned Ludd wrote:
>
> Good luck and try to keep your servers up to date more often.
> glsa-check -l | grep '\[N\]'
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCUYG36ENyPMTUmzoRAjzCAJ0WeHCeXNriTyrB4VeqsDB2p1E4xwCeKV6r
c7VdeCnn+5s2/4tcpDhqN7k=
=S+0o
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
On Apr 4, 2005 1:17 AM, Beber [Gentoo] <beber.gentoo@gmail.com> wrote:
> Ok, I see
>
> Many program start use root privilege, and after root depends init,
> then "fork" as another user, like exim, svnserver & many other.
> Why can't I do that with apache ?

Apart from all things already mentioned, let me also point that running first
Apache process as an unprivileged user (nobody for e.g.) can have negative
impact on server security.

The only thing this process does after initialization is maintaining right
number of unprivileged child processes, which serve all clients requests.
So attackers are not able to interact with privileged process. Unprivileged
children don't have access to all resources opened by root process (like low
number port).
Remote root exploits for Apache were uncommon (if any), weren't they?
As Thierry suggested, you probably had other local vulnerability.

If you dropped root privileges for _all_ Apache processes, attacker who owned
nobody's account (for e.g.: by PHP scripts vulnerabilities), would have access
to more things - like sniffing all www server traffic (even encrypted),
reading and modifying main process address space, or stealing database
passwords from Apache or PHP configuration files.

But if you still want to drop all root privileges, here is how to do it:
Run it on high number port (>1024) <Apache_Port> by a regular user,
the same who is specified by User directive in you httpd.conf.
Then redirect all traffic from port 80 to <Apache_Port>. With iptables
you can do it with:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-ports <Apache_Port>

Correct me, if I'm wrong, please.
Regards,

--
Robert Nowotniak
GPG: 1024D/AD2800F1 B7D2 EBA3 01F1 0049 013D E8A6 AEBA 7C82 AD28 00F1
--
gentoo-security@gentoo.org mailing list
Re: Apache first process without root privileges [ In reply to ]
Robert Nowotniak wrote:

>But if you still want to drop all root privileges, here is how to do it:
>Run it on high number port (>1024) <Apache_Port> by a regular user,
>the same who is specified by User directive in you httpd.conf.
>Then redirect all traffic from port 80 to <Apache_Port>. With iptables
>you can do it with:
># iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
>--to-ports <Apache_Port>
>
>Correct me, if I'm wrong, please.
>Regards,
>
>

There is a doc posted recently on IU's security office website detailing
the steps to do this:

http://itso.iu.edu/You_Don't_Need_Root_for_That

Cheers!

-Corey
--
gentoo-security@gentoo.org mailing list