httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Linux: CAP_DAC_OVERRIDE needed - why?
Date Sat, 20 Jul 2013 22:15:45 GMT
Hi

i am trying to restrict Apache 2.4.5 / 2.4.6-dev as much as possible

without "CAP_DAC_OVERRIDE" i get warnings any docroot not existing while
after start all vhosts are fully operational, the other capabilities are
clear to switch the user and bind port 80, CAP_IPC_LOCK maybe for php-opcaches

but why does httpd need CAP_DAC_OVERRIDE while starting initially as root?

CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot [/mnt/data/www/www]
does not exist
Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot [/mnt/data/www/private]
does not exist

CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
all fine, no warnings


Mime
View raw message