httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: httpd core files on Linux?
Date Mon, 27 Jul 1998 15:54:54 GMT


On 25 Jul 1998, James H. Cloos Jr. wrote:

> >>>>> "Dean" == Dean Gaudet <dgaudet@arctic.org> writes:
> 
> Dean> This is one of the reasons I did the "-p" patch which lets httpd
> Dean> run as nobody all the time (a small wrapper opens the ports, and
> Dean> uses -p to pass the FD#s to httpd).
> 
> If you are using 2.1 kernels this can also be done by using a wrapper
> that drops all of its capabilites other than CAP_NET_BIND_SERVICE,
> changes to the uid apache should run under and exec's apache.

Unfortunately that's insecure.  You're giving the www userid permission to
open arbitrary ports below 1024.  My suggestion opens the exact ports
necessary and doesn't give it free reign... 

Dean




Mime
View raw message