RE: apache as non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think you would need to elaborate on that statement. Frankly I can see a few differences, but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid effectively changing the UID/GID of the process to something which is hopefully not privileged.

Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server. The main advantage about sudo I can think of is that it at least allows you to restrict who is allowed to execute Apache with root priveleges. On the other hand you could apply the same restrictions using file system access control lists.

On a server with many users of which only a few are allowed to start Apache with root privileges, there is definitely an advantage to sudo.


-ascs
 
-----Message d'origine-----
De : Christian Folini [mailto:christian.folini@xxxxxxx] 
Envoyé : jeudi 8 novembre 2007 11:10
À : users@xxxxxxxxxxxxxxxx
Objet : Re:  apache as non-root

On Thu, Nov 08, 2007 at 11:00:10AM +0100, Krist van Besien wrote:
> > Sounds like a task for "sudo".
> 
> Another option is making the httpd executable suid root.

Ouch.

Starting a webserver on port 80 as a normal user is not a good thing. Sudo helps to limit the security breach somewhat if you really have to. Setting the suid flag is a lot worse securitywise. A lot.

regs,

Christian

> --
> krist.vanbesien@xxxxxxxxx
> krist@xxxxxxxxxxxxx
> Bremgarten b. Bern, Switzerland

Bern, Switzerland


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux