| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: frank at knobbe.us (Frank Knobbe) Subject: Re: Funny article On Thu, 2003-11-13 at 08:41, Volker Tanger wrote: > > Ideally the Apache exe should be running as an unpriviledged user. but > > then, ideally the IIS server should be running as an unpriviledged > > user too.... > > Well, running a kernel task is a bit difficult to do unprivileged... > *SCNR* I don't understand this comment at all. Ideally IIS should be running as an unpriviledged user, like in the good ole IIS 3 days. Back then the service was running under a user account so even if the IIS service got hijacked through a BO, you still had to hack your way to privileges. No immediate SYSTEM there. The reason IIS4+ runs as SYSTEM appears to be to gain performance. I guess running IIS as a kernel module and having less context switches does do well for performance (like an Apache LKM), but unfortunately not for security. What specific kernel task were you referring to? Regards, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031113/a0444460/attachment.bin
Powered by blists - more mailing lists