From owner-freebsd-questions  Tue Jan  1 22:52:16 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from post.mail.nl.demon.net (post-11.mail.nl.demon.net [194.159.73.21])
	by hub.freebsd.org (Postfix) with ESMTP id AB91D37B405
	for <freebsd-questions@freebsd.org>; Tue,  1 Jan 2002 22:52:13 -0800 (PST)
Received: from [212.238.194.207] (helo=tanya.raggedclown.net)
	by post.mail.nl.demon.net with esmtp (Exim 3.33 #1)
	id 16LfG0-0008C5-00
	for freebsd-questions@freebsd.org; Wed, 02 Jan 2002 06:52:12 +0000
Received: by tanya.raggedclown.net (Postfix on SuSE Linux 7.3 (i386), from userid 500)
	id 66F641175; Wed,  2 Jan 2002 07:52:11 +0100 (CET)
Date: Wed, 2 Jan 2002 07:52:11 +0100
From: Cliff Sarginson <cliff@raggedclown.net>
To: freebsd-questions@freebsd.org
Subject: Re: Getting Apache to run as user www only
Message-ID: <20020102065211.GA2339@raggedclown.net>
References: <1009759250.60bc5ff9tdrake@myrealbox.com> <PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear@usa.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <PGECILGGNJGDPJKLFEMIGEEBCMAA.dpuryear@usa.net>
User-Agent: Mutt/1.3.24i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Jan 02, 2002 at 12:34:04AM -0600, Dustin Puryear wrote:
> The parent Apache process has to bind to port 80 before it spawns the
> children that will actually service web requests. If you are really
> concerned then consider a chroot environment. Hmm, on second thought, that
> wouldn't actually solve this particular issue since putting a root process
> in a jail might give an attacker some elbow room.
> 
> It's always seemed to me that it would be a good idea if you could configure
> the kernel to allow specific users to bind to specific ports. Say, a simple
> configuration file such as:
> 
> # user	port
> http		tcp/80
> http		tcp/443
> named		udp/53
> 
> And now the kernel would allow user http to bind to ports 80 and 443.
> 
And what a field-day for bored crackers such an appalling suggestion, if
ever implemented, that would be.

I think that takes a small prize for being the best suggestion for
introducing a security hole the size of the grand canyon into the O/S.

Just think about it, before you ask why... :)

-- 
Regards
Cliff



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message