Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apache VS IIS Securiyt model question

from [exon] Network Security [Permanent Link]
Subject: Re: Apache VS IIS Securiyt model question
Date: Sun, 12 Sep 2004 16:47:03 +0200
mthompson wrote: 
Hello,

I am doing research and I am stuck. 

Pitch: In IIS there is the ability to set permissions on a per website
basis. In other words the ability to limit access to files and
directories based on the users credentials that the website is running
under. Additionally, you would in turn add this user to a group and
apply group permissions to an object that needed to be accessed by more
than one site.


Microsoft is simply mimicing the way most unix filesystem works.

Take the extended filesystem, versions 2 and 3 (which is standard for Linux installations) for example.
Each filesystem node (file, directory, pipe, socket etc) is assigned a 'permission list' (in lack of a better word) for;
a/ the user who owns the file
b/ the group who owns the file
c/ everybody else
These permissions can be empty or any combination of read, write and execute.

An additional value can be set for each file and directory to let (for example) people who execute a script or program do so as the user or group owning the executable. There are many more options for this extra value, but I'm sure you get the idea.

All of this is handled at kernel level, and can't be circumvented by anyone but root, who always has read and write access to everything (and execute permissions if any of the permission lists contain the execute bit).

Question: Is there a similar security model for apache that would allow
credentials from a user to run a virtual website and access files only
for a specific virtual site.


Short answer; Yes. I have set it up myself at numerous occasions. See above for details.
Long answer; Apache has a 'suexec' feature (executing code or reading webpages as a different user). I'm not sure how well implemented this is for Windows type operating systems, but the apache website should be able to provide you with more answers.
The best way to run apache though would still be on a unix platform. MS hasn't quite managad to convince me of their networking stability just yet.

Also, does any one have a diagram of the apache process?


I know some goofball sat down and wrote execution schematics for a bunch of opensource networking daemons a while back to analyze likely future points of failure, but I don't know where to find them, and I'm not sure they were ever made publically available (seeing as the reason for their creation was somewhat shady in the first place).

Thanks,


You're welcome.

Mike 

/exon

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SQL Injection data retrieving??, saphyr
Next by Date:  Re: SQL Injection data retrieving??, Adam Tuliper
Previous by Thread:  Apache VS IIS Securiyt model question, mthompson
Next by Thread:  RE: Apache VS IIS Securiyt model question, Dinis Cruz
Indexes:  [Date] [Thread] [Top] [All Lists]