logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Building & Member Downloads View previous topic :: View next topic
Reply to topic   Topic: Act as Part of the Operating System
Author
Cheeeze



Joined: 04 Jun 2015
Posts: 7
Location: USA, New York

PostPosted: Mon 06 Jul '15 18:37    Post subject: Act as Part of the Operating System Reply with quote

** This is a cross post from the Apache thread, because I think this might be a dev related question and nobody there can answer it **

I have looked everywhere for the answer to this, but I can't seem to find it. Apache on Windows requires "act as part of the operating system" permissions. Why?

I ask because "act as part of the operating system" is an extremely high risk permission that can theoretically allow a hacker who compromised the server to access every file on the hard drive. It's the Windows equivalent of root permission. Apache on Linux restricts the worker processes to a limited user, and IIS on Windows also does the same.

So what is it exactly that Apache on Windows needs this permission for?

I seem to be able to run it fine without the permission, but the manual makes it clear to add it. What will break if I don't? (Maybe it's needed for something I don't use.) And why does nobody else on the internet seem to be concerned about this? Am I missing something?

Perhaps I don't fully understand the mechanics of how the permission works. Maybe it would be too difficult (or not possible) for an outside threat to manipulate the Apache user into impersonating another user. I don't know if the Apache user gets instant access to all files, or if they need to do something with fancy code or APIs to get said access. It could be that none of this is a threat at all.

I turn to the Windows Apache devs for this - this is not an issue on Linux. I don't even think the Linux systems have such a permission to set. This is something recommended exclusively for Apache on Windows. I'm hoping one of you folks might know what about the code needs that permission.

Any help here would be appreciated.

-Using Apache 2.4 on Windows Server 2008
-Apache instructing to add the permission
-MS warning never to give that permission to a user
-Original post
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2783
Location: Hilversum, NL, EU

PostPosted: Mon 06 Jul '15 19:07    Post subject: Reply with quote

Makes no sense to post a separate topic here. So it is going to be removed.

Maybe your concern is not clear and maybe based on old info on the Apache site.

Some Apache dev's are around here (even two moderators here are official committers), but you can post it also at the Apache HTTP Server Users Mailing List.
Back to top
Cheeeze



Joined: 04 Jun 2015
Posts: 7
Location: USA, New York

PostPosted: Mon 06 Jul '15 19:59    Post subject: Reply with quote

The question is pretty straightforward: windows apache needs a special permission, so there must be a reason for requiring that permission.

I want to know what the reason is, because I can't figure it out, its a risky permission, and it seems to work okay without it.

I tried the Apache section here but nobody knows, and I already tried the mailing list originally and nobody knows there either. I even tried the IRC channel and they recommended talking to the windows apache people here because they didn't know. (Its a windows specific thing.)

The information is based off of the current apache documentation online (2.4, linked in the post). So it is current.

I understand the request to not cross post it, but I don't know who else to ask. Nobody knows the answer. I'd be happy to talk one-on-one with one of the devs if you can connect me.

This is something that was actively required for windows when it was not a requirement for linux, so it has something to do with porting to app to windows. I need to talk to the people who did/do that.
Back to top


Reply to topic   Topic: Act as Part of the Operating System View previous topic :: View next topic
Post new topic   Forum Index -> Building & Member Downloads