lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1068739693.512.48.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Re: Funny article

On Thu, 2003-11-13 at 08:41, Volker Tanger wrote:
> > Ideally the Apache exe should be running as an unpriviledged user. but
> > then, ideally the IIS server should be running as an unpriviledged
> > user too....
> 
> Well, running a kernel task is a bit difficult to do unprivileged...
> *SCNR*  

I don't understand this comment at all. Ideally IIS should be running as
an unpriviledged user, like in the good ole IIS 3 days. Back then the
service was running under a user account so even if the IIS service got
hijacked through a BO, you still had to hack your way to privileges. No
immediate SYSTEM there.

The reason IIS4+ runs as SYSTEM appears to be to gain performance. I
guess running IIS as a kernel module and having less context switches
does do well for performance (like an Apache LKM), but unfortunately not
for security.

What specific kernel task were you referring to?

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031113/a0444460/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ