RE: apache as non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: chris [mailto:chris@xxxxxx] 
> Sent: Tuesday, November 06, 2007 4:20 PM
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  apache as non-root
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> A work around, sort of:
> 
> If you are using an OS with the ability to port forward (iptables on
> linux for example) you can create rules to forward the port 80
> connection to a high port (say 8080) that the non-root-user apache
> instance is listening on.
> 
> You end up listening on two ports, but you get the desired effect of
> having a totally user owned (startable stoppable without ever being
> root) apache instance that is accessible via port 80.

This is a clever "work-around", but for the record, it is worth pointing
out what you are sacrificing here:

The behaviour that the OP is trying to defeat (non-root can't listen on
ports < 1024) is there for a good reason - security. By forwarding the
trusted port 80 traffic to a port belonging to a plain user, you bypass
that security mechanism. It basically means that an un-privileged user
controls the HTTP server, while an external client thinks he's talking
to a root-owned process. 

This might be OK if the OP has a research or test environment but it's a
but flaky for the real world. It's a bit like a boss letting his
secretary read and reply to his e-mails using his signature. Fine - so
long as he trusts his secretary :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> chris
> 
> 
> Melanie Pfefer wrote:
> > thanks. But any workaround?
> > thanks.
> > --- Tony Stevenson <tony@xxxxxxxxxxx> wrote:
> > 
> >> Melanie Pfefer wrote:
> >>> hi
> >>>
> >>> I modified user in httpd.conf but as long as the
> >> port
> >>> number is 80, only root can start apache.
> >> subsequent
> >>> process will be run as non-root.
> >> This is expected behaviour.
> >>
> >>> any idea how to allow this user to start apache?
> >> To start Apache on port 80, you need root level
> >> access as these are 
> >> privilged ports.
> >>
> >> You can user another account, but the port has to be
> >>> 1024.
> >>
> >> Tony
> >>
> > 
> > 
> > 
> >       ___________________________________________________________ 
> > Want ideas for reducing your carbon footprint? Visit Yahoo! 
> For Good  http://uk.promotions.yahoo.com/forgood/environment.html
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHMIY8tqidmIdniVgRAjtMAJoCM37rSapVIHec8t7tm/QKeqT9ZQCeLskc
> yS2/8s/BLWdB13rzY9ZEz7M=
> =2F1K
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux