On Tue, Sep 29, 2009 at 8:09 PM, Brian Rectanus <Brian.Rectanus@breach.com> wrote:
No, I do not agree ;) This is normally the response I get and I think it is a flawed argument. Typically your entire system is based off of shared libraries, not just apache modules (unless you went to a lot of trouble).
* Do you build Apache completely static (not just apache modules, but all the libs it links to as well? Otherwise any of those libs can be replaced as well.
Yes, that is true. It's just one less place that can happen.
* Replacing libs is actually a good thing as it allows the library to fix an issue without having to rebuild the rest of the app. This would normally result in a faster fix time that requires a lot less work on your part. Normally I build with vendor/distribution supplied libraries as they have the time (generally) to keep them more up-to-date than I do.
Security fixes are normally applied quckly to vendor packages but the version of these libraries is usually pretty old (I use Debian stable) so I tend to build apache and it's modules by myself. I have automated processes for this so rebuilding everything if a module changes is pretty fast.
* If someone has the rights to install a rouge module, then they also generally have the rights to replace the httpd binary as well ;)
Generally, but not always. :)
* Building ModSecurity in this fashion is unsupported and definitely untested, so you risk there being a problem with the install, potentially lessening your security standpoint.
The bottom line is that I thought it would be just a question of putting the files in the correct place so that apache could be built with the module included. If the interfaces are different and if it implies code changes then don't worry about it. Maybe I'm the only one running an apache without dso support.