From owner-freebsd-hackers  Mon May 22 19:50:28 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id TAA05694
          for hackers-outgoing; Mon, 22 May 1995 19:50:28 -0700
Received: from ns1.win.net (ns1.win.net [204.215.209.3])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id TAA05688
          for <hackers@freebsd.org>; Mon, 22 May 1995 19:50:24 -0700
Received: (from bugs@localhost) by ns1.win.net (8.6.11/8.6.9) id WAA27625; Mon, 22 May 1995 22:52:36 -0400
From: Mark Hittinger <bugs@ns1.win.net>
Message-Id: <199505230252.WAA27625@ns1.win.net>
Subject: Re: multi virtual web sites
To: mbailey@gnu.ai.mit.edu
Date: Mon, 22 May 1995 22:52:36 -0400 (EDT)
Cc: hackers@FreeBSD.org
In-Reply-To: <Pine.SUN.3.91.950522212448.2356C-100000@cps201> from "CMU Mail Archive" at May 22, 95 09:26:12 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1373      
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

> 
> On Mon, 22 May 1995, Mark Hittinger wrote:
> > 
> > I use the CERN httpd and the patches went in very easily.  I had to
> > fool around a little bit with the technique.  The bind() call needs
> > to be executed with privilege, so you have to run as root.  This is
> > nasty, however, the "parentuserid"/"parentgroupid" can get you around
> > that little nasty.

mbailey@gnu.mit.... wrote:

> Run as ROOT! No way in hell! I installed the patch just nicly running 
> -current and everything seems to work fine for me the pages are not set 
> up correctly yet but www.cps.cmich.edu and www.journey.com both run on 
> the same machine right now with out running as root :/
> 

Hmmm well lets make sure we are talking apples and apples.  Are we
talking about port 80?  I didn't use an inetd technique for these
servers - I used the fork mode.  I thought port 80 was a privileged
port and you need some privilege to be able to bind to it.   Are you
saying that an unprivileged program can bind to port 80 on -current?

I've seen some guys write a small root wrapper that gets the port and puts
up a chroot/chdir jail then drops privs and exec's httpd.....maybe thats what
you have?

In any event parentuserid drops root privs right after the bind() call.
I probably do need to code some sort of chroot jail cell for the httpd
though.

Regards,


Mark Hittinger
bugs@win.net