Date: Fri, 2 Feb 2001 14:30:55 -0500 From: Andrew Barros <abarros@tjhsst.edu> To: Richard Ward <mh@neonsky.net> Cc: "David G. Andersen" <dga@pobox.com>, freebsd-security@FreeBSD.ORG Subject: Re: Apache uid/gid Message-ID: <20010202143055.A20054@tjhsst.edu> In-Reply-To: <002701c08d41$810430a0$0101a8c0@pavilion>; from mh@neonsky.net on Fri, Feb 02, 2001 at 12:56:42PM -0500 References: <200102021753.KAA24081@faith.cs.utah.edu> <002701c08d41$810430a0$0101a8c0@pavilion>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] You need to be root to open ports lower than 1024, this root owned process only opens the port, reads oonfig files, and spawns children(with the correct uid). -ajb On Fri, Feb 02, 2001 at 12:56:42PM -0500, Richard Ward wrote: ->It doesn't handle requests? That's something I didn't know. Thanks for shedding light on this, and sorry to those who are also saying "This has nothing to do with FreeBSD security". ->-- ->Richard Ward, CEO ->richard@neonsky.net ->Neonsky Internet Services -> -> ->----- Original Message ----- ->From: David G. Andersen <dga@pobox.com> ->To: Richard Ward <mh@neonsky.net> ->Cc: <freebsd-security@FreeBSD.ORG> ->Sent: Friday, February 02, 2001 12:53 PM ->Subject: Re: Apache uid/gid -> -> ->> The process running as root is the master process. Don't kill it, ->> don't step on it, it's doing what you want. It doesn't handle ->> requests; the non-root children do. ->> ->> You're right, btw - this has nothing to do with FreeBSD security. :) ->> ->> -Dave ->> ->> Lo and behold, Richard Ward once said: ->> > ->> > I'm not too sure this has anything to do with actual FreeBSD security, though it has been on my mind for some time. I'm running Apache 1.3.12 and it's binding to user and group id "nobody". When I start apache with apachctl, it spawns the amount of daemons listed in httpd.conf, though one of those spawns are running as root. I can kill the process running as root and all is well. ->> > ->> > My question is: Is this a threat? Having this mystery process that's not binding to the correct uid/gid specified, does it defeat the whole purpose of binding Apache to it's own user/group? ->> > ->> > Thanks. ->> > -- ->> > Richard Ward, CEO ->> > richard@neonsky.net ->> > Neonsky Internet Services ->> > ->> ->> ->> -- ->> work: dga@lcs.mit.edu me: dga@pobox.com ->> MIT Laboratory for Computer Science http://www.angio.net/ -> -> -> ->To Unsubscribe: send mail to majordomo@FreeBSD.org ->with "unsubscribe freebsd-security" in the body of the message ---end quoted text--- -- Andrew Barros <abarros@tjhsst.edu> PGP Key Fingerprint: D3B8 0800 C45A 143E 5CF0 E112 0A1B AB36 B655 1FB8 [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ewrvChurNrZVH7gRAkbvAJ0a3T80igguWWqhFlyD5fzARULc2wCePL2W GarsLhskS9uW1uqEIyF+Shc= =BnVY -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010202143055.A20054>