Date: Fri, 2 Feb 2001 14:30:55 -0500 From: Andrew Barros <abarros@tjhsst.edu> To: Richard Ward <mh@neonsky.net> Cc: "David G. Andersen" <dga@pobox.com>, freebsd-security@FreeBSD.ORG Subject: Re: Apache uid/gid Message-ID: <20010202143055.A20054@tjhsst.edu> In-Reply-To: <002701c08d41$810430a0$0101a8c0@pavilion>; from mh@neonsky.net on Fri, Feb 02, 2001 at 12:56:42PM -0500 References: <200102021753.KAA24081@faith.cs.utah.edu> <002701c08d41$810430a0$0101a8c0@pavilion>
next in thread | previous in thread | raw e-mail | index | archive | help
--ikeVEW9yuYc//A+q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You need to be root to open ports lower than 1024, this root owned process = only opens the port, reads oonfig files, and spawns children(with the corre= ct uid). -ajb On Fri, Feb 02, 2001 at 12:56:42PM -0500, Richard Ward wrote: ->It doesn't handle requests? That's something I didn't know. Thanks for sh= edding light on this, and sorry to those who are also saying "This has noth= ing to do with FreeBSD security". ->-- ->Richard Ward, CEO ->richard@neonsky.net ->Neonsky Internet Services -> -> ->----- Original Message -----=20 ->From: David G. Andersen <dga@pobox.com> ->To: Richard Ward <mh@neonsky.net> ->Cc: <freebsd-security@FreeBSD.ORG> ->Sent: Friday, February 02, 2001 12:53 PM ->Subject: Re: Apache uid/gid -> -> ->> The process running as root is the master process. Don't kill it, ->> don't step on it, it's doing what you want. It doesn't handle ->> requests; the non-root children do. ->>=20 ->> You're right, btw - this has nothing to do with FreeBSD security. :) ->>=20 ->> -Dave ->>=20 ->> Lo and behold, Richard Ward once said: ->> >=20 ->> > I'm not too sure this has anything to do with actual FreeBSD security= , though it has been on my mind for some time. I'm running Apache 1.3.12 an= d it's binding to user and group id "nobody". When I start apache with apac= hctl, it spawns the amount of daemons listed in httpd.conf, though one of t= hose spawns are running as root. I can kill the process running as root and= all is well. ->> >=20 ->> > My question is: Is this a threat? Having this mystery process that's = not binding to the correct uid/gid specified, does it defeat the whole purp= ose of binding Apache to it's own user/group? ->> >=20 ->> > Thanks. ->> > -- ->> > Richard Ward, CEO ->> > richard@neonsky.net ->> > Neonsky Internet Services ->> >=20 ->>=20 ->>=20 ->> --=20 ->> work: dga@lcs.mit.edu me: dga@pobox.com ->> MIT Laboratory for Computer Science http://www.angio.ne= t/ -> -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- --=20 Andrew Barros <abarros@tjhsst.edu> PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ewrvChurNrZVH7gRAkbvAJ0a3T80igguWWqhFlyD5fzARULc2wCePL2W GarsLhskS9uW1uqEIyF+Shc= =BnVY -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010202143055.A20054>