From owner-freebsd-questions Sun Dec 30 17:15:23 2001 Delivered-To: freebsd-questions@freebsd.org Received: from fedde.littleton.co.us (cfedde.dsl.frii.net [216.17.139.141]) by hub.freebsd.org (Postfix) with ESMTP id D3C0F37B419 for ; Sun, 30 Dec 2001 17:15:20 -0800 (PST) Received: from fedde.littleton.co.us (localhost [127.0.0.1]) by fedde.littleton.co.us (8.11.6/8.11.4) with ESMTP id fBV1FEx12926; Sun, 30 Dec 2001 18:15:14 -0700 (MST) Message-Id: <200112310115.fBV1FEx12926@fedde.littleton.co.us> To: Troy Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Getting Apache to run as user www only In-Reply-To: <1009759250.60bc5ff9tdrake@myrealbox.com> From: Chris Fedde Date: Sun, 30 Dec 2001 18:15:14 -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 30 Dec 2001 18:40:50 -0600 Troy wrote: +------------------ | Hi all, | I've been running Apache for quite a while, but I'm trying to | secure my system and keep as many things from running as root as | possible. I have the Apache config set to the default www as the | user to run under, but the initial httpdp rocess runs as root. Is | there a way to get all the httpd processes to run as www? +------------------ The process that opens port 80 needs to be user root. Apache forks new port 80 listerners occasionaly so the master process needs to run as root. I know that Solaris has a way of granting a user rights to open a priveledged socket but I have not seen that feature in FreeBSD yet. If you don't need all the advanced features that apache is giving you. And you are not running a huge CGI load. You might consider using thttpd (in the ports collection or from www.acme.com.) It is a single process chrootable server that drops privledges after the master listening socket is opened. It uses poll(2) on OSes that have it or select(2) to handle all connections from one process. It even has a simple way of doing named virtual servers. It is quite frugal with system resources and often performs better under load than apache. -- Chris Fedde To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message