On Thu, Jan 5, 2012 at 10:13 PM, email builder emailbuilder88@yahoo.com wrote:
1.) Attacker uses apache remote exploit (or other means) to obtain
your /etc/shadow file (not a remote shell, just GET the file without that fact being logged);
I don't mean to thread-hijack, but I'm curious, if apache runs as its own non-root user and /etc/shadow is root-owned and 0400, then how could any exploit of software not running as root ever have access to that file??
Apache starts as root so it can open port 80. Certain bugs might happen before it switched to a non-privileged user. But, a more likely scenario would be to get the ability to run some arbitrary command through an apache, app, or library vulnerability, and that command would use a different kernel, library, or suid program vulnerability to get root access. Look back through the update release notes and you'll find an assortment of suitable bugs that have been there...