Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
> Wouldn't that run Apache with root permissions? Part of the goal is to
> strip Apache of root permissions. The only thing it needs them for is so
> it can open port 80. Seems a bad security decision to give it those
> permissions for such a small thing.
Have you bothered at all to read either the very well commented httpd.conf or the documentation regarding the 'User' and 'Group' permissions and the architecture of the server?
Seems pretty naieve of you to assume that the Apache folks and all of the contributors have overlooked something quite obvious for all of those years.
In a *very* simplistic overview, the first thing Apache does with a request *is* to "give up" it's root privileges after it has bound to the privileged socket.
There is plenty of documentation about the Apache architecture, and if you don't believe me when I tell you that the security implementation in Apache is pretty darned good, you can read that and check out the Netcraft surveys that seem to support the notion that Apache's security ain't too shabby.
And if that were the *only* thing Apache needed root permissions for, I doubt that we would even see the the lead process retain root.
Also, there's nothing stopping you from setting up an Apache listener on some port >1024 and using PAT (Port-Address-Translation) or a simple proxy (I'm sure a simple netcat one-liner would do fine) couldn't fix.
Do some research and ask some more questions.
Mike/
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact