02-10-2011 04:37 PM
I would like to not have to reinvent the wheel if someone else has done this.
02-11-2011 03:06 PM
Rick Retterer here. Can you drop me an email on this please?
We received an inquiry from the Engineering Management staff on this yesterday...
02-11-2011 05:36 PM
To save you the digging...
CSWS/SWS/Apache is built from 2.0.52
Apache 2.2.17 and 2.0.64 are current
csws_php is built from 5.2.13
php 5.3.5 and 5.2.17 are current
(support for php prior to 5.3 has ended)
csws_perl is built from 5.8-6
perl is at 5.12.13
02-14-2011 12:43 PM
Have a look at http://labs.hoffmanlabs.com/node/43 for some links and pointers, including to NIST's SP800-44v2, to the VMS SRR, and AS-816.
02-17-2011 06:18 AM
02-17-2011 09:20 AM
For example the current setup for Apache on OpenVMS is to have the APACHE$WWW user be the owner of the processes that run the web services executables and the APACHE$WWW user also owns the HTTPD.CONF and other configuration files.
The fear is if someone can cause the webservice process to change the HTTPD.CONF file then they would control your web server.
Is this a valid concern?
If not please explain why.
02-17-2011 09:24 AM
So for example, the http.conf file will have an identifier that allows APACHE to READ it.
02-17-2011 09:30 AM
If the webservice has the privilege to modify system files then yes it is a concern.
So the answer is not to grant that kind of privilege to a webservice, and indeed why would one?
02-17-2011 10:03 AM
The web server should not own and should have extremely limited write access to any device and directory and file resources. The default should be no write access, and no control access, and often a top-level ACL on everything else blocking access. Some web-facing systems do require writeable directories (for client file uploads, usually), and those can be, well, hazardous.
It can be easier to deploy a locked down web server (often in a DMZ) than to try to lock down an existing and active server, too.
Web server attacks now tend to target the injection of php code or of SQL, depending on what services are active and what the site is serving up. Proper file protections are a reasonable backstop for some of that, but are far from a panacea. Other attacks can include gifar uploads (into directories that are writeable) and the recent spate of "fun" that has been Firesheep.
02-17-2011 10:18 AM
[AP_HTTPD,APACHE$WWW] (RWED,RWED,,) (IDENTIFIER=APACHE$READ,ACCESS=READ)
So APACHE$WWW owns the file. It has owner access of RWED and the APACHE$READ identifer.
So it looks like the Webservice process that runs as the APACHE$WWW user has write access to the HTTPD.CONF file, unless I'm missing something.