Firewalls: Re: http server for bastion host

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: http server for bastion host
From:	"Michael H. Warfield" <mhw @ wittsend . com>
Date:	Sun, 8 Feb 1998 23:32:15 -0500 (EST)
To:	stepken @ www . firmen-info . de (Stepken)
Cc:	marcs @ znep . com, Firewalls @ GreatCircle . COM
In-reply-to:	<34DE0C08 . 7D49BCBF @ www . firmen-info . de> from Stepken at "Feb 8, 98 08:48:25 pm"

Stepken enscribed thusly:
> Marc Slemko wrote:

> > Have you actually looked at the code before spouting silly garbage like it
> > being "bullet proof"?

> > Do you really want to trust a server that normally runs as root and that,
> > if it fails to switch UIDs before serving a document, just logs a message
> > and proceeds as root?  I don't call that bullet proof.  While you wouldn't
> > be running it as root anyway on a firewall, it does indicate something
> > about the software.  I'm sure it can be made secure, but your clueless
> > claim that it is god and never ever has any problems while Apache is full
> > of buffer overflows (if it is, I sure don't see them) is foolish.

> It really doesn't matter, whether it runs as root or as user. Every user
> can become root, with some common exploits. There are some patches for
> chroot() and chuid(), which are urgently needed.
> I really had some very serious problems with perl cgi's and apache. I
> also see some SSI problems on geek-girl which have been patched, thanx
> to you as co-develloper of APACHE. Mostly the security of programs (like
> apache) heavily depend on the quality of lib's
> (popen(),gets,sprintf.race-condition..problems). As programer you can't
> claim, that apache binary is ok, because there are enough included libs
> left, which are quite unsecure. So - you may be right, if you claim,
> that apache is secure, from the point of source-review. I , personally,
> only trust a chroot() version of apache or CERN.

	If you only trust a chrooted version of apache or CERN, you are a
fool.  Chroot does help.  But there ARE exploits for getting out of chrooted
jails (especially if you manage to get superuser), just as there are
exploits for getting superuser.  I, personally, don't "only" trust ANYTHING.
I depend on a combination of "things" of which chroot, and non-superuser
id's are only part.  I do not "trust" chroot nor a non-root user.  The
combination of the two is better.  The combination of the two behind a
firewall is still better.  Those behind a filtering router are better yet
still.  Depend on one thing and it should be this:  NOTHING is bullet-proof
(or fool proof for that matter).

> cu, Guido Stepken

	Regards,
	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw @
 WittsEnd .
 com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Follow-Ups:

Re: http server for bastion host
From: Stepken <stepken @ edina . xnc . com>

References:

Re: http server for bastion host
From: Stepken <stepken @ www . firmen-info . de>

Indexed By Date	Previous:	Re: Firewalls-Digest V7 #55 From: "Delia Garcia" <delia @ gate . net>
Indexed By Date	Next:	SGi Gauntlet and E-Mail From: Andreas Stylianou <andreass @ zenon . logos . cy . net>
Indexed By Thread	Previous:	Re: http server for bastion host From: Peter da Silva <peter @ baileynm . com>
Indexed By Thread	Next:	Re: http server for bastion host From: Stepken <stepken @ edina . xnc . com>