Date: Mon, 22 May 1995 22:52:36 -0400 (EDT) From: Mark Hittinger <bugs@ns1.win.net> To: mbailey@gnu.ai.mit.edu Cc: hackers@FreeBSD.org Subject: Re: multi virtual web sites Message-ID: <199505230252.WAA27625@ns1.win.net> In-Reply-To: <Pine.SUN.3.91.950522212448.2356C-100000@cps201> from "CMU Mail Archive" at May 22, 95 09:26:12 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > On Mon, 22 May 1995, Mark Hittinger wrote: > > > > I use the CERN httpd and the patches went in very easily. I had to > > fool around a little bit with the technique. The bind() call needs > > to be executed with privilege, so you have to run as root. This is > > nasty, however, the "parentuserid"/"parentgroupid" can get you around > > that little nasty. mbailey@gnu.mit.... wrote: > Run as ROOT! No way in hell! I installed the patch just nicly running > -current and everything seems to work fine for me the pages are not set > up correctly yet but www.cps.cmich.edu and www.journey.com both run on > the same machine right now with out running as root :/ > Hmmm well lets make sure we are talking apples and apples. Are we talking about port 80? I didn't use an inetd technique for these servers - I used the fork mode. I thought port 80 was a privileged port and you need some privilege to be able to bind to it. Are you saying that an unprivileged program can bind to port 80 on -current? I've seen some guys write a small root wrapper that gets the port and puts up a chroot/chdir jail then drops privs and exec's httpd.....maybe thats what you have? In any event parentuserid drops root privs right after the bind() call. I probably do need to code some sort of chroot jail cell for the httpd though. Regards, Mark Hittinger bugs@win.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199505230252.WAA27625>