 |
|
|
|
Next: virtual hosts behind a firewall
|
| Author |
Message |
External
Since: Aug 07, 2003
Posts: 4
|
(Msg. 1) Posted: Thu Aug 07, 2003 10:22 am
Post subject: Apache as root
Archived from groups: alt>apache>configuration (more info?)
|
|
|
I have what seems like a newbie question. But why does the httpd parent
(Apache/1.3.2  run as root?
Yes, Apache needs to bind to a lower port. But after that, why could the
parent not change its uid to, say, that of the nobody user, and accept
connections as that unprivileged user? I mean, is it really necessary that
the parent remains running as root? It seems to me that any and all serious
exploits exist because of the parent still running as root, right?
I am just trying to understand here. For my own news server I wrote, for
instance, I start up as root, of course, to bind to port 119. But after
that, I switch to an unprivileged user, and keep accepting connections as
that user.
So, what is it that makes it an absolute necessity that the httpd parent
keeps running as root? Is it because so vhosts could run as their own user?
I would gladly forego on that functionality if that meant all httpd
processes ran unprivileged.
Obviously, I must be overlooking something obvious.  But I would be glad
if you told me what.
- Mark |
|
| Back to top |
|
 | |
External
Since: Jul 16, 2003
Posts: 13
|
(Msg. 2) Posted: Thu Aug 07, 2003 10:48 am
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
In article <le2dnYiSYMKCf6yiXTWJjw.DeleteThis@giganews.com>,
"Mark" <admin.DeleteThis@asarian-host.net> wrote:
> I have what seems like a newbie question. But why does the httpd parent
> (Apache/1.3.2 run as root?
isn't that because the httpd parent has to spawn new httpd process to
answer more requests ?
patpro<!-- ~MESSAGE_AFTER~ --> |
|
| Back to top |
|
| |
External
Since: Nov 03, 2003
Posts: 2907
|
(Msg. 3) Posted: Thu Aug 07, 2003 11:13 am
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Mark <admin RemoveThis @asarian-host.net> wrote:
> Yes, Apache needs to bind to a lower port. But after that, why could the
> parent not change its uid to, say, that of the nobody user, and accept
Hummm... on my system I have this:
~> ps -ef | grep httpd
root 484 1 0 Jun26 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19288 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19289 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19290 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19291 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19292 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19401 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19402 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19403 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 19406 484 0 00:19 ? 00:00:00 /usr/local/apache/bin/httpd
nobody 22390 484 0 09:57 ? 00:00:00 /usr/local/apache/bin/httpd
As you can clearly see... only ONE process run as "root", everything else
run as "nobody", as you wished.
Davide<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
External
Since: Aug 07, 2003
Posts: 4
|
(Msg. 4) Posted: Thu Aug 07, 2003 11:17 am
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"patpro" <patpro.pouet RemoveThis @archange.fr> wrote in message
news:patpro.pouet-963091.07481007082003@news.wanadoo.fr...
> In article <le2dnYiSYMKCf6yiXTWJjw RemoveThis @giganews.com>,
> "Mark" <admin RemoveThis @asarian-host.net> wrote:
>
> > I have what seems like a newbie question. But why does the httpd
> > parent (Apache/1.3.2 run as root?
>
> isn't that because the httpd parent has to spawn new httpd process
> to answer more requests ?
And it could not spawn them as "nobody"? I mean, the parent would only need
to run as root, for that, if the parent forks a child, and then changed the
uid of that child (to, say, the "nobody" or "www" user). But if the parent
already ran as "nobody", no need to change uid would exist either, I would
think.
The way I understand it (obviously not well enough), is that the parent
preforks a set of children, who, in turn, use threads to serve their
clients; right?
See, with sendmail I get it; it needs to run as root because it needs to
access people's home directories, set uid/gid on mail files and stuff. But
what such access does the httpd parent need? A few config files perhaps,
yes; so, we start it as root. I have no problem with that; I just fail to
see why the parent does not drop its root-privileges after that.
- Mark<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
External
Since: Jul 16, 2003
Posts: 13
|
(Msg. 5) Posted: Thu Aug 07, 2003 12:24 pm
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
In article <iSGdneIkEN68cqyiXTWJjw.DeleteThis@giganews.com>,
"Mark" <admin.DeleteThis@asarian-host.net> wrote:
> > > I have what seems like a newbie question. But why does the httpd
> > > parent (Apache/1.3.2 run as root?
> >
> > isn't that because the httpd parent has to spawn new httpd process
> > to answer more requests ?
>
> And it could not spawn them as "nobody"? I mean, the parent would only need
> to run as root, for that, if the parent forks a child, and then changed the
> uid of that child (to, say, the "nobody" or "www" user). But if the parent
> already ran as "nobody", no need to change uid would exist either, I would
> think.
If the parent is nobody, I don't think it can spawn a process that binds
to a priviledged port. It's just the way I see things, I'm not sure at
all.
> The way I understand it (obviously not well enough), is that the parent
> preforks a set of children, who, in turn, use threads to serve their
> clients; right?
not only. in fact apache spawn a handfull of childs, but more might have
to be spawned if requests increases. And that's probabely why the parent
process has to remain root.
patpro<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
External
Since: Aug 07, 2003
Posts: 4
|
(Msg. 6) Posted: Fri Aug 08, 2003 7:27 am
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Davide Bianchi" <davideyeahsure.RemoveThis@onlyforfun.net> wrote in message
news:bgt1n4$sg6js$1@ID-18487.news.uni-berlin.de...
> Mark <admin.RemoveThis@asarian-host.net> wrote:
> > Yes, Apache needs to bind to a lower port. But after that, why could
> > the parent not change its uid to, say, that of the nobody user, and
> > accept
>
> Hummm... on my system I have this:
>
> ~> ps -ef | grep httpd
> root 484 1 0 Jun26 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19288 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19289 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19290 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19291 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19292 484 0 00:00 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19401 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19402 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19403 484 0 00:16 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 19406 484 0 00:19 ? 00:00:00 /usr/local/apache/bin/httpd
> nobody 22390 484 0 09:57 ? 00:00:00 /usr/local/apache/bin/httpd
>
> As you can clearly see... only ONE process run as "root", everything else
> run as "nobody", as you wished.
That is how it runs on my machine too, of course (well,
/usr/local/sbin/httpd, that is). I was just wondering how exploitable that
one root-process is.
- Mark<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
External
Since: Aug 10, 2003
Posts: 6
|
(Msg. 7) Posted: Sun Aug 10, 2003 10:32 am
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Thu, 7 Aug 2003 07:22:35 +0200, "Mark" <admin.DeleteThis@asarian-host.net>
wrote:
>Yes, Apache needs to bind to a lower port. But after that, why could the
>parent not change its uid to, say, that of the nobody user, and accept
>connections as that unprivileged user? I mean, is it really necessary that
>the parent remains running as root?
I think this is how it works:
When the server first starts, the parent process opens maybe 8 child
processes that listen on port 80 by default. If the server gets busy
(ie, lots of requests coming in), the parent process tries to keep
ahead of things by starting up more child processes (you want to have
more processes open than are actually being used at a given time,
otherwise new requests will have to wait while processes are loaded to
handle them). Now here's the key: only *root* can open ports below
1024. Since the parent process is constantly (when things are busy)
starting new child processes that use port 80, then the parent process
has to be *root*, since only root can start a process that uses port
80. (See p.48 of "Apache: The Definitive Guide" ; O'Reilly)
So if you want your child processes to use port 80, then they have to
be spawned by root, and only root. Thus the parent process has to run
as root.
However, if you don't mind having your new child processes spawned on
ports above 1024, then you probably don't need to have a parent
running as root.
Paul<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
External
Since: Jun 30, 2003
Posts: 154
|
(Msg. 8) Posted: Tue Aug 12, 2003 3:36 pm
Post subject: Re: Apache as root [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
> >Yes, Apache needs to bind to a lower port. But after that, why could the
> >parent not change its uid to, say, that of the nobody user, and accept
> >connections as that unprivileged user? I mean, is it really necessary that
> >the parent remains running as root?
>
> I think this is how it works:
<snip pretty good explanation of apache prefork model>
also the master process never accepts connections, so can hardly be
exploited remotely. it just spawns children as needed, who start as
root, bind to whatever ip:port you gave, change uid and guid to what
was given as User and Group and start accepting conections.
joachim<!-- ~MESSAGE_AFTER~ --> >> Stay informed about: Apache as root |
|
| Back to top |
|
| |
| Related Topics: | Apache JkMount to Tomcat root, not a context. - Hi, Does anyone out there know how to configure mod_jk to connect Apache to the root of Tomcat? I want to be able to have a url like this: www.example.com/myServlets/aServlet and have Apache pass the requests to the root of Tomcat and not to the..
Document root on another PC - Hi! Using a windows 2000 Network I have got one PC containing all the documents for the internet. The Apache is installed on another PC and I wanted to set the DocumentRoot to the location at the Doecument Server...it doesn't work this way: DocumentRoot....
Apache 2 + PHP - Hello, are there still any issues about using Apache 2 with PHP? Is there a compatibility list somewhere around? Thanks, Florian -- Abkürzung unbekannt? ++ http://www.xgm.de +++
mod_jk to apache 2.0.40 - hi!! why i don't succeed to find a mod_jk for apache version 2.0.40 ?? it not exists? i've found all version except mod_jk for apache 2.0.40 ........why??
Apache Listening on 443 only - Hi, I configured the httpd.conf file on a brand new install of RH 9 machine and found that Apache is listening on port 443 only, what could be the cause of this? I tried to change the Listen directive and that didn't seem help. Thanks, Yang |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
