Bug#26239: marked as done (authbind - things not having to run as root to bind)

To: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#26239: marked as done (authbind - things not having to run as root to bind)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 25 May 2004 12:33:09 -0700
Message-id: <[🔎] handler.26239.D26239.108551302214669.ackdone@bugs.debian.org>
In-reply-to: <Pine.LNX.4.58.0405252121460.23471@trider-g7.ext.fabbione.net>
References: <Pine.LNX.4.58.0405252121460.23471@trider-g7.ext.fabbione.net> <13800.52144.159700.239785@anarres.greenend.org.uk>

Your message dated Tue, 25 May 2004 21:23:39 +0200 (CEST)
with message-id <Pine.LNX.4.58.0405252121460.23471@trider-g7.ext.fabbione.net>
and subject line Closing old bugs
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at maintonly) by bugs.debian.org; 30 Aug 1998 04:03:03 +0000
Received: (qmail 17718 invoked from network); 30 Aug 1998 04:03:03 -0000
Received: from chiark.greenend.org.uk (mail@195.224.76.132)
  by debian.novare.net with SMTP; 30 Aug 1998 04:03:03 -0000
Received: from ian by chiark.greenend.org.uk with local-bsmtp (Exim 2.01 #4)
	id 0zCye8-0004Kp-00 (Debian); Sun, 30 Aug 1998 04:59:20 +0100
Received: from anarres.greenend.org.uk [172.18.45.2] (mail)
	by davenant.greenend.org.uk with esmtp (Exim 1.92 #1)
	id 0zCyTx-0003zP-00 (Debian); Sun, 30 Aug 1998 04:48:49 +0100
Received: from ian by anarres.greenend.org.uk with local (Exim 1.92 #1)
	id 0zCyUC-00003D-00 (Debian); Sun, 30 Aug 1998 04:49:04 +0100
From: Ian Jackson <ian@davenant.greenend.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <13800.52144.159700.239785@anarres.greenend.org.uk>
Date: Sun, 30 Aug 1998 04:49:04 +0100 (BST)
To: maintonly@bugs.debian.org
X-Debian-CC: debian-policy@lists.debian.org
Subject: authbind - things not having to run as root to bind
X-Mailer: VM 6.47 under Emacs 19.34.1
Sender: Ian Jackson <ian@chiark.greenend.org.uk>

Package: apache
Version: 1.3.0-2
Severity: wishlist

(Note crosspost to bug system and debian-policy.)

There are a number of programs which are setuid or run as root just
because they need to be able to bind to low port numbers.  This is
clearly unsatisfactory.

For a program I was writing (an SMTP intermediary) I needed to bind to
a low port but didn't want to deal with all that setuid/root hassle
(particularly since Tcl, the language I was writing in, would have to
be extended to have a setuid call).  So, instead:

I've written a small combination of an LD_PRELOAD library (hack) and a
setuid helper program.

You install the authbind package, set up the right things in /etc to
allow whatever user or group to bind to whatever port and then they
don't need to be root at all, and the application doesn't need to be
changed either.

This works fine for my application, and I've just tested it with
apache and it works there too.

At last, apache doesn't need to be root any more !

I've just sent the package into my upload queue and it will eventually
turn up in experimental.  I'm just posting here to let people know
(esp. the apache maintainer), and to file as a wishlist bug my request
that apache no longer run as root.  (I know it claims to drop
privilege, but it doesn't do it completely - it can still get it
back.  Try `ps' if you don't believe me - you can see the master
apache process as being root.)

As an _example_ I attach the things I had to do to
/etc/init.d/apache to get it to work.  Note several things:

* The script previously threw away all error messages !  Tsk tsk.
  I haven't fixed any occurrences of this apart from the one where I
  needed to see the diagnostic to debug the script.

* I've disabled the test for APACHECTL.  This is clearly no good; the
  arguments will have to be put in a separate shell var.

* I've used `really', a local invention of my own, to drop privs.
  Anything else similar will do.  I'm not sure about `su -c' - it
  might mangle things too much.

* I created the following file:
 -r-xr-xr--   1 www-data www-data        0 Aug 30 01:34 /etc/authbind/byport/80*
  to persuade authbind that apache was allowed to have port 80.

Ian.

--- /etc/init.d/apache~	Fri Jun  5 16:55:46 1998
+++ /etc/init.d/apache	Sun Aug 30 01:37:51 1998
@@ -4,18 +4,18 @@
 #
 
 NAME=apache
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
+PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin
 DAEMON=/usr/sbin/apache
 SUEXEC=/usr/lib/apache/suexec
 PIDFILE=/var/run/$NAME.pid
 CONF=/etc/apache/httpd.conf
-APACHECTL=/usr/sbin/apachectl 
+APACHECTL='really -u www-data authbind /usr/sbin/apachectl'
 
 trap "" 1
 trap "" 15
 
 test -f $DAEMON || exit 0
-test -f $APACHECTL || exit 0
+#test -f $APACHECTL || exit 0
 
 if egrep -i "[^#]*\<ServerType\> inet" $CONF > /dev/null
 then
@@ -25,7 +25,7 @@
 case "$1" in
   start)
     echo -n "Starting web server: $NAME"
-    if $APACHECTL start > /dev/null 2>&1
+    if $APACHECTL start >/dev/null
     then
 	echo "."
     else
---------------------------------------
Received: (at 26239-done) by bugs.debian.org; 25 May 2004 19:23:42 +0000
>From fabbione@fabbione.net Tue May 25 12:23:42 2004
Return-path: <fabbione@fabbione.net>
Received: from port1845.ds1-khk.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.190.82] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BShWX-0003o3-00; Tue, 25 May 2004 12:23:41 -0700
Received: from trider-g7.ext.fabbione.net (port1845.ds1-khk.adsl.cybercity.dk [212.242.190.82])
	by trider-g7.fabbione.net (Postfix) with ESMTP
	id BE28716; Tue, 25 May 2004 21:23:39 +0200 (CEST)
Date: Tue, 25 May 2004 21:23:39 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@fabbione.net
To: 26239-done@bugs.debian.org, 74965-done@bugs.debian.org
Subject: Closing old bugs
Message-ID: <Pine.LNX.4.58.0405252121460.23471@trider-g7.ext.fabbione.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 26239-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-0.1 required=4.0 tests=BAYES_44 autolearn=no 
	version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


Hi,
	i asked more information regarding these bugs over a month ago and
received no replies from the submitters.
Apparently they are not relevant anymore. I am closing them, but please
feel free to reopen in case you are still experiencing the problem
reported.

Thanks
Fabio

-- 
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.

Reply to:

Prev by Date: Bug#74965: marked as done (Apache fails to start silently when getshm fails)
Next by Date: Bug#26239: acknowledged by developer (Closing old bugs)
Previous by thread: Bug#74965: marked as done (Apache fails to start silently when getshm fails)
Next by thread: Bug#26239: acknowledged by developer (Closing old bugs)
Index(es):
- Date
- Thread