Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 8782 invoked from network); 8 Nov 2007 14:14:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Nov 2007 14:14:01 -0000 Received: (qmail 94577 invoked by uid 500); 8 Nov 2007 14:13:40 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 94120 invoked by uid 500); 8 Nov 2007 14:13:39 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 94109 invoked by uid 99); 8 Nov 2007 14:13:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Nov 2007 06:13:39 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [193.56.114.156] (HELO smtp2.fr.adp.com) (193.56.114.156) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Nov 2007 14:14:17 +0000 Received: from exchange2k304.gaia.fr ([150.175.10.77]) by smtp2.fr.adp.com (xx/xx) with ESMTP id lA8EDKYQ006219 for ; Thu, 8 Nov 2007 15:13:21 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 8 Nov 2007 15:12:17 +0100 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] apache as non-root Thread-Index: AcgiDyWjZYs/fr50R1SLv41hi04iggAAEiSA References: <330442.3067.qm@web26206.mail.ukl.yahoo.com> <20071106155934.GA25660@w032y7.pnet.ch> <6ed6382b0711080200x2443ea3au80a95b097435bc41@mail.gmail.com> <20071108100951.GA5393@w032y7.pnet.ch> From: "Axel-Stephane SMORGRAV" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] apache as non-root -----Message d'origine----- >De : jslive@gmail.com [mailto:jslive@gmail.com] De la part de Joshua = Slive >Envoy=E9 : jeudi 8 novembre 2007 14:56 >=C0 : users@httpd.apache.org >Objet : Re: [users@httpd] apache as non-root > >On Nov 8, 2007 7:11 AM, Axel-Stephane SMORGRAV = wrote: >> Whether Apache is started with sudo or is suid root, anyone able = start an Apache instance with the configuration of his/her choice can do = bad things on the server. > >No, if apache is started with normal user privileges, it can't do harm = beyond the privileges of that user. By setting apache suid root, anyone = on your system can obtain complete root access by using the -f flag to = specify a config file. (I won't give specifics of what you need to put = in the config file, but it is quite easy for anyone with some apache = knowledge.) Well, Joshua, that was basically what I was trying to say. If Apache is = started with root privileges (whether sudo or setuid) with a carefully = crafted configuration, bad things can happen. So the question is rather whether you can entrust some or all legitimate = non-root users of the host with the ability to start Apache with root = privileges so it can bind to reserved ports, and in that case how you = choose to do so. -ascs --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org