lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: frank at (Frank Knobbe)
Subject: Re: Funny article

On Thu, 2003-11-13 at 08:41, Volker Tanger wrote:
> > Ideally the Apache exe should be running as an unpriviledged user. but
> > then, ideally the IIS server should be running as an unpriviledged
> > user too....
> Well, running a kernel task is a bit difficult to do unprivileged...
> *SCNR*  

I don't understand this comment at all. Ideally IIS should be running as
an unpriviledged user, like in the good ole IIS 3 days. Back then the
service was running under a user account so even if the IIS service got
hijacked through a BO, you still had to hack your way to privileges. No
immediate SYSTEM there.

The reason IIS4+ runs as SYSTEM appears to be to gain performance. I
guess running IIS as a kernel module and having less context switches
does do well for performance (like an Apache LKM), but unfortunately not
for security.

What specific kernel task were you referring to?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url :

Powered by blists - more mailing lists