[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exploring debian's users and groups

On Wed, 8 Aug 2001, Radovan Garabik wrote:

> On Tue, Aug 07, 2001 at 03:24:40PM -0700, Marc Martinez wrote:
> > On Tue, Aug 07, 2001 at 11:01:29PM +0200, Marcin Owsiany wrote:
> > > On Tue, Aug 07, 2001 at 09:13:01PM +0200, Radovan Garabik wrote:
> > > > somebody might want to start apache as non-root for security reasons
> > > > (I do). Logfiles owned by www-data come handy in this case.
> > > 
> > > How do you make it bind to port 80 then?
> I am using pseudo-acl's
> However, one can run apache on other port
> (and eventually use a port forwarder, if port 80 is desirable)
> > 
> > if you're not using an enhanced kernel (LIDS, pseudo-acl's, RSBAC,
> > etc) and only need ipv4 sockets you might look into the 'authbind'
> > package.  minimal extra setup, other than needing to edit the init.d
> > script of the program in question, and it does the job quite nicely.
> were you able to make it work with apache? It did not work for me

That reminds me of a german proverb: "Warum einfach, wenn es umständlich
auch geht."

I simply put "User www-data\nGroup www-data" into httpd.conf, then apache
will start as root, open the logfiles and port 80, then set uid and gid
accordinly and start the processes which serve the client requests.

No problem with port 80 or logfiles owned by root while apache runs as 
a nonprivileged user.

Manfred Wassmann
PGP and GnuPG public keys available at http://germany.keyserver.net
PGP: 24B81049 Fingerprint: D7 10 EE 2B 74 16 C0 64  B4 5F BA B2 90 29 3D AF
GPG: 6B299971 Fingerprint: A598 A41F 57A3 5D69 83D2  8027 1274 F8CD 6B29 9971
 +++  I18N ?  For international language set LANG=POSIX  +++

Reply to: