On Apr 4, 2005 1:17 AM, Beber [Gentoo] <[EMAIL PROTECTED]> wrote: > Ok, I see > > Many program start use root privilege, and after root depends init, > then "fork" as another user, like exim, svnserver & many other. > Why can't I do that with apache ?
Apart from all things already mentioned, let me also point that running first Apache process as an unprivileged user (nobody for e.g.) can have negative impact on server security. The only thing this process does after initialization is maintaining right number of unprivileged child processes, which serve all clients requests. So attackers are not able to interact with privileged process. Unprivileged children don't have access to all resources opened by root process (like low number port). Remote root exploits for Apache were uncommon (if any), weren't they? As Thierry suggested, you probably had other local vulnerability. If you dropped root privileges for _all_ Apache processes, attacker who owned nobody's account (for e.g.: by PHP scripts vulnerabilities), would have access to more things - like sniffing all www server traffic (even encrypted), reading and modifying main process address space, or stealing database passwords from Apache or PHP configuration files. But if you still want to drop all root privileges, here is how to do it: Run it on high number port (>1024) <Apache_Port> by a regular user, the same who is specified by User directive in you httpd.conf. Then redirect all traffic from port 80 to <Apache_Port>. With iptables you can do it with: # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports <Apache_Port> Correct me, if I'm wrong, please. Regards, -- Robert Nowotniak GPG: 1024D/AD2800F1 B7D2 EBA3 01F1 0049 013D E8A6 AEBA 7C82 AD28 00F1 -- [email protected] mailing list
