Date: Wed, 2 Jan 2002 00:34:04 -0600 From: "Dustin Puryear" <dpuryear@usa.net> To: "Troy" <tdrake@myrealbox.com>, <freebsd-questions@freebsd.org> Subject: RE: Getting Apache to run as user www only Message-ID: <PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear@usa.net> In-Reply-To: <1009759250.60bc5ff9tdrake@myrealbox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The parent Apache process has to bind to port 80 before it spawns the children that will actually service web requests. If you are really concerned then consider a chroot environment. Hmm, on second thought, that wouldn't actually solve this particular issue since putting a root process in a jail might give an attacker some elbow room. It's always seemed to me that it would be a good idea if you could configure the kernel to allow specific users to bind to specific ports. Say, a simple configuration file such as: # user port http tcp/80 http tcp/443 named udp/53 And now the kernel would allow user http to bind to ports 80 and 443. Regards, Dustin > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Troy > Sent: Sunday, December 30, 2001 6:41 PM > To: freebsd-questions@freebsd.org > Subject: Getting Apache to run as user www only > > > Hi all, > I've been running Apache for quite a while, but I'm trying to > secure my system and keep as many things from running as root as > possible. I have the Apache config set to the default www as the > user to run under, but the initial httpd process runs as root. Is > there a way to get all the httpd processes to run as www? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear>