Re: SUID and SGID security concern

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Di, den 08.11.2005 schrieb akonstam@xxxxxxxxxxx um 15:31:

> > I got some questions about the SUID and SGID attributes. I'm running a 
> > web server with Apache and FC3, and I was asked to eliminate this 
> > attributes to the files that don't need them to work properly.

> > Aron L.

> You don't need to post all the files but I can't quite see what files need
> these privilidges on a web server. Could you give us and example?

> Aaron Konstam

I think Aron speaks about those binaries on his system, which are system
tools - not binaries inside the DocumentRoot. Those for instance you
easily see by "ls -al /bin/".
I feel it is safe to trust those who make the Fedora distribution to fix
software and shipping updates if there should be a bug with any of the
software which has a suid binary. There is not really a need to change
permission of those suid binaries to secure your webserver. Other things
have to care for to make it secure: use SELinux, keep care for file
permissions and software you offer through the webspace. Shut down
services, especially those listening on public devices, which you don't
need to run, maybe use in addition mod-security from Fedora Extras ...

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 15:35:25 up 10 days, 13:35, load average: 0.12, 0.22, 0.29 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux