Date: Wed, 19 Jul 2006 09:34:46 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-security@FreeBSD.ORG, danil@sochiwater.ru Subject: Re: Port scan from Apache? Message-ID: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> In-Reply-To: <44BDCD73.9030508@sochiwater.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Danil V. Gerun <danil@sochiwater.ru> wrote: > BTW, isn't it impossible for Apache (if it's running from non-root) > to make connections from his port 80? Normally Apache doesn't make connections (unless you use mod_proxy, and in that case it doesn't use port 80 as the source port). It rather accepts connections to its port 80. However, the process of bind(2)ing to port 80 in order to accept connections to it is -- by default -- limited to processes with root privileges. There are several ways that can be accomplished without actually running the Apache server processes as root: 1. Usually you start Apache as root, then it bind(2)s to port 80, then it changes its UID to some other, non- privileged user (retaining the binding to port 80), and then it uses listen(2)/accept(2) to accept connec- tions. That's the default setup, so most people use it. 2. You can start Apache as non-root right from the start and have it listen to some non-privileged port, e.g. 8080. If you don't want to force all users to enter that port number in the URLs all the time, you can use NAT to rewrite ports, and/or install a local forwarding rule (e.g. using IPFW) to forward packets destined for port 80 to port 8080. 3. FreeBSD offers the ability to change the range of ports that are considered privileged, using two sysctls. See the ip(4) manpage for details (and warnings). That way you can allow non-root processes to bind to ports below 1024 (e.g. 80), if you're willing to accept the risks. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python is an experiment in how much freedom programmers need. Too much freedom and nobody can read another's code; too little and expressiveness is endangered." -- Guido van Rossum
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607190734.k6J7Yk6J036446>