As one said before, at least one commercial VS company[1] solved it by
running Apache in inetd mode[2]. This would allow port 80 to be
opened directly, but before Apache starts, the initializing program
would change into the VS and drop root privs, making Apache safe to run.
Inetd mode should not to be used on a high-volume site (>100,000 hits
per day), though.
As another alternative, Apache could be made to lose root privs as soon
as the port assignment completes, and before anything else occurs.[3]
I have heard of one commercial VS doing this, but I can't recall whom.
To restart the server, just kill the VS's private master copy and have
a watchdog daemon re-run the root Apache again.[4]
Of course, this means distributing a "recommended patch" either on
FreeVSD's site or with the distribution source/RPMs.
[1] VServers
[2] Almost inetd; a central copy of Apache forks and re-reads the VS's
conf files for each new connection.[3]
[3] This means a nasty patch of Apache.[4]
[4] And each VS can't provide their own private copy of Apache.
--
Daniel Brown | Ignorance is no reason
[EMAIL PROTECTED] | for being difficult.
___________________ | ______________________
On Sat, 5 May 2001, Simon Garner wrote:
> Date: Sat, 5 May 2001 15:22:51 +1200
> From: Simon Garner <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Rebooting with WebAdmin scripts
>
> From: "Urivan Saaib" <[EMAIL PROTECTED]>
>
> >
> > LOL ! Dam, forgot about that... Anyways as Daryl comments, looking for
> > file type (dir, file, link,etc) and owner ?
> >
> > What problems you can see here ?
> >
>
>
> Well that would perhaps fix the scenario I suggested.
>
> But it's still risky -- you'll be opening a whole bunch of holes you don't
> know about, and then trying to plug the ones you spot. Whereas if Apache's
> not running as root at all, the possibilities are hugely reduced.
>
>
>
