httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Victor Trac" <victor.t...@gmail.com>
Subject Re: [users@httpd] RE: failure notice
Date Thu, 06 Apr 2006 07:58:26 GMT
If the UID of the apache process somehow gets compromised, it would be
better to have that account running as a non-privileged account than as
root.  At least then the UID is somewhat confined to the account's access
restrictions, rather than have access to the entire file system as root.

-Victor

On 4/5/06, Amalan, S <Sountharanayaga.Amalan@comverse.com> wrote:
>
> Thanks much.  This explains why my installation did not need root
> privileges - I was running it on port 1150 or so.
>
> This also brings up the question: is there a reason to set the port to
> be below 1024 so that only root can start it up?  Is there a downside to
> running Apache on a port greater than 1024?
>
> There must have been some reason for designing it in such a way that the
> process owner gets dropped from root to a non-zero UID account.  I guess
> I am confused because if you need to be root to start it up, why should
> the process owner be dropped after binding to the privileged port to a
> non-zero UID account? And if you weren't root to begin with you wouldn't
> be able to startup Apache anyway.
>
> Amalan
>
>
>


--
http://www.victortrac.com
Mime
View raw message