On Thu, 13 May 2004 13:19:14 +0200 Ilja Booij <[EMAIL PROTECTED]> wrote:
> Dan Weber wrote: > > On Thu, May 13, 2004 at 10:29:44AM +0200, Ilja Booij wrote: > > > >>I've just checked on a webserver: > >>the 'root' apache process also is in state LISTEN and runs as root. So I > >>guess that's the way its' supposed to be. I presume Apache would be > >>doing The Right Thing. > >> > >>>I've done some testing with moving drop_privileges to > >>>server.c,CreateSocket and the only thing I can come up with is that the > >>>daemon can not bind the right sockets on receiving a sighup due to lack > >>>of privileges. > > > > > > Please don't setup any webservers for me. Apache should not be > > running as root, here are my apache processes. > > It's not my setup.. :) > > > > > www-data 3784 0.0 0.1 12576 1480 ? S Apr30 0:00 > > /usr/sbin/apache2 -k start -DSSL > > www-data 3787 0.0 0.7 236688 6048 ? S Apr30 0:00 > > /usr/sbin/apache2 -k start -DSSL > > www-data 3792 0.0 0.8 237164 6760 ? S Apr30 0:00 > > /usr/sbin/apache2 -k start -DSSL > > Interesting. I wonder how this works. Everywhere I look I see that > people are talking about 1 apache running as root, and it's children > running as nobody, www-data or whatever. Please correct me if I'm wrong. > > we're going a bit off-topic here.. but interesting nonetheless. Staying off topic, I'm not aware of a way of keeping listening to privileged ports after a HUP if not running as root, but what you *can* do is listen on say port 8080 and use something like ipnat to map requests on port 80 to port 8080. That way, not even the parent runs as root. -fr. > Ilja > _______________________________________________ > Dbmail-dev mailing list > Dbmail-dev@dbmail.org > http://twister.fastxs.net/mailman/listinfo/dbmail-dev > -- Feargal Reilly, Codeshifter, Chrysalink Systems.
pgpCj47NBg9Qa.pgp
Description: PGP signature
