On Thu, Jan 5, 2012 at 10:13 PM, email builder <emailbuilder88 at yahoo.com> wrote: >> 1.) Attacker uses apache remote exploit (or other means) to obtain > >> your /etc/shadow file (not a remote shell, just GET the file >> without that fact being logged); > > I don't mean to thread-hijack, but I'm curious, if apache runs as its > own non-root user and /etc/shadow is root-owned and 0400, then > how could any exploit of software not running as root ever have > access to that file?? Apache starts as root so it can open port 80. Certain bugs might happen before it switched to a non-privileged user. But, a more likely scenario would be to get the ability to run some arbitrary command through an apache, app, or library vulnerability, and that command would use a different kernel, library, or suid program vulnerability to get root access. Look back through the update release notes and you'll find an assortment of suitable bugs that have been there... -- Les Mikesell lesmikesell at gmail.com