Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 May 1995 22:52:36 -0400 (EDT)
From:      Mark Hittinger <bugs@ns1.win.net>
To:        mbailey@gnu.ai.mit.edu
Cc:        hackers@FreeBSD.org
Subject:   Re: multi virtual web sites
Message-ID:  <199505230252.WAA27625@ns1.win.net>
In-Reply-To: <Pine.SUN.3.91.950522212448.2356C-100000@cps201> from "CMU Mail Archive" at May 22, 95 09:26:12 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> 
> On Mon, 22 May 1995, Mark Hittinger wrote:
> > 
> > I use the CERN httpd and the patches went in very easily.  I had to
> > fool around a little bit with the technique.  The bind() call needs
> > to be executed with privilege, so you have to run as root.  This is
> > nasty, however, the "parentuserid"/"parentgroupid" can get you around
> > that little nasty.

mbailey@gnu.mit.... wrote:

> Run as ROOT! No way in hell! I installed the patch just nicly running 
> -current and everything seems to work fine for me the pages are not set 
> up correctly yet but www.cps.cmich.edu and www.journey.com both run on 
> the same machine right now with out running as root :/
> 

Hmmm well lets make sure we are talking apples and apples.  Are we
talking about port 80?  I didn't use an inetd technique for these
servers - I used the fork mode.  I thought port 80 was a privileged
port and you need some privilege to be able to bind to it.   Are you
saying that an unprivileged program can bind to port 80 on -current?

I've seen some guys write a small root wrapper that gets the port and puts
up a chroot/chdir jail then drops privs and exec's httpd.....maybe thats what
you have?

In any event parentuserid drops root privs right after the bind() call.
I probably do need to code some sort of chroot jail cell for the httpd
though.

Regards,


Mark Hittinger
bugs@win.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199505230252.WAA27625>