From owner-freebsd-questions Tue Jan 1 22:25:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from c003.snv.cp.net (c003-h004.c003.snv.cp.net [209.228.32.218]) by hub.freebsd.org (Postfix) with SMTP id 0880137B423 for ; Tue, 1 Jan 2002 22:25:12 -0800 (PST) Received: (cpmta 1801 invoked from network); 1 Jan 2002 22:25:11 -0800 Received: from 216.227.100.85 (HELO vector) by smtp.telocity.com (209.228.32.218) with SMTP; 1 Jan 2002 22:25:11 -0800 X-Sent: 2 Jan 2002 06:25:11 GMT From: "Dustin Puryear" To: "Troy" , Subject: RE: Getting Apache to run as user www only Date: Wed, 2 Jan 2002 00:34:04 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <1009759250.60bc5ff9tdrake@myrealbox.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The parent Apache process has to bind to port 80 before it spawns the children that will actually service web requests. If you are really concerned then consider a chroot environment. Hmm, on second thought, that wouldn't actually solve this particular issue since putting a root process in a jail might give an attacker some elbow room. It's always seemed to me that it would be a good idea if you could configure the kernel to allow specific users to bind to specific ports. Say, a simple configuration file such as: # user port http tcp/80 http tcp/443 named udp/53 And now the kernel would allow user http to bind to ports 80 and 443. Regards, Dustin > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Troy > Sent: Sunday, December 30, 2001 6:41 PM > To: freebsd-questions@freebsd.org > Subject: Getting Apache to run as user www only > > > Hi all, > I've been running Apache for quite a while, but I'm trying to > secure my system and keep as many things from running as root as > possible. I have the Apache config set to the default www as the > user to run under, but the initial httpd process runs as root. Is > there a way to get all the httpd processes to run as www? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message