Date: Wed, 2 Jan 2002 07:52:11 +0100 From: Cliff Sarginson <cliff@raggedclown.net> To: freebsd-questions@freebsd.org Subject: Re: Getting Apache to run as user www only Message-ID: <20020102065211.GA2339@raggedclown.net> In-Reply-To: <PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear@usa.net> References: <1009759250.60bc5ff9tdrake@myrealbox.com> <PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear@usa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 02, 2002 at 12:34:04AM -0600, Dustin Puryear wrote: > The parent Apache process has to bind to port 80 before it spawns the > children that will actually service web requests. If you are really > concerned then consider a chroot environment. Hmm, on second thought, that > wouldn't actually solve this particular issue since putting a root process > in a jail might give an attacker some elbow room. > > It's always seemed to me that it would be a good idea if you could configure > the kernel to allow specific users to bind to specific ports. Say, a simple > configuration file such as: > > # user port > http tcp/80 > http tcp/443 > named udp/53 > > And now the kernel would allow user http to bind to ports 80 and 443. > And what a field-day for bored crackers such an appalling suggestion, if ever implemented, that would be. I think that takes a small prize for being the best suggestion for introducing a security hole the size of the grand canyon into the O/S. Just think about it, before you ask why... :) -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020102065211.GA2339>