From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 07:34:54 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7721016A4DE for ; Wed, 19 Jul 2006 07:34:54 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C80343D55 for ; Wed, 19 Jul 2006 07:34:53 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (elopip@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k6J7YkAv036447; Wed, 19 Jul 2006 09:34:52 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k6J7Yk6J036446; Wed, 19 Jul 2006 09:34:46 +0200 (CEST) (envelope-from olli) Date: Wed, 19 Jul 2006 09:34:46 +0200 (CEST) Message-Id: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, danil@sochiwater.ru In-Reply-To: <44BDCD73.9030508@sochiwater.ru> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Wed, 19 Jul 2006 09:34:52 +0200 (CEST) Cc: Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, danil@sochiwater.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 07:34:54 -0000 Danil V. Gerun wrote: > BTW, isn't it impossible for Apache (if it's running from non-root) > to make connections from his port 80? Normally Apache doesn't make connections (unless you use mod_proxy, and in that case it doesn't use port 80 as the source port). It rather accepts connections to its port 80. However, the process of bind(2)ing to port 80 in order to accept connections to it is -- by default -- limited to processes with root privileges. There are several ways that can be accomplished without actually running the Apache server processes as root: 1. Usually you start Apache as root, then it bind(2)s to port 80, then it changes its UID to some other, non- privileged user (retaining the binding to port 80), and then it uses listen(2)/accept(2) to accept connec- tions. That's the default setup, so most people use it. 2. You can start Apache as non-root right from the start and have it listen to some non-privileged port, e.g. 8080. If you don't want to force all users to enter that port number in the URLs all the time, you can use NAT to rewrite ports, and/or install a local forwarding rule (e.g. using IPFW) to forward packets destined for port 80 to port 8080. 3. FreeBSD offers the ability to change the range of ports that are considered privileged, using two sysctls. See the ip(4) manpage for details (and warnings). That way you can allow non-root processes to bind to ports below 1024 (e.g. 80), if you're willing to accept the risks. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python is an experiment in how much freedom programmers need. Too much freedom and nobody can read another's code; too little and expressiveness is endangered." -- Guido van Rossum