httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Cunningham <anthony...@om.asahi-kasei.co.jp>
Subject Re: [users@httpd] Apache 2.0 questions
Date Tue, 15 Apr 2003 01:44:30 GMT
I read on slashdot that OpenBSD has privilege escalation which I took to mean
that Apache can start as a normal user, be allowed privilege escalation just to
bind to 80 then do the rest as the normal user...i could be wrong though

"Pitfield, Nickolas" wrote:

> Joshua,
>
> >Hmmm.... If that is your "100% sure" then I hate to see your answers when
> >you are only 99% sure ;-)
>
> Ouch :-)
>
> >The following page:
> >http://hoohoo.ncsa.uiuc.edu/docs/setup/httpd/User.html
> >shows that ncsa operates in exactly the same way as apache.  That is, when
> >started as root, it binds to the port as root, but serves requests under
> >the userid specified in the User directive.
>
> I checked the Upgrade page for NCSA and can find no mention anywhere of the
> User directive being added so I guess I was wrong after all - and I'm big
> enough to admit it :-(
>
> damn & blast - I hate being wrong :-(
>
> >Since almost everyone runs on the default port, almost everyone needs to
> >start apache (and ncsa in its time) as root.
>
> Is this true that they mostly run on port 80 ? I know it makes perfect sense
> especially when trying to guess a URL, but I saw a lot of servers running on
> 8888, 8080, 8000 etc in the past and as I haven't been running them myself
> recently I tended not to notice port numbers any more. Obviously if using
> port 80 then running as root (before switching) is a must. Actually don't
> answering - I can only think of a few servers recently that used anything
> other than port 80.
>
> >The simple answer: people don't like needing to include the port number in
> >the URL.  This: http://example.com:8080/ is much uglier than this:
> >http://example.com/
>
> I agree (see comments above).
>
> >The other issue is that if you bind to a non-root accessible port, then
> >you need to be aware that other users could steel that port away from you,
> >for example, during server restarts.  That is why well-known services are
> >run from root-only ports.
>
> True.
>
> Thanks for your answers - as I said I was trying to understand the reasons,
> and I think I now do.
>
> Regards.
>
>     Nick Pitfield
> ___________________________________________________________________________
> Configuration Management Engineer
> T: +44 (0)20 7348 1569 E: npitfield@metasolv.com
> MetaSolv Software Limited
> Avon House, Kensington Village, Avonmore Road, London W14 8TS
> T: +44 (0)20 7348 1500 F: +44 (0)20 7348 1501
> www.metasolv.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message