Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 4 Dec 2004 18:47:15 +0000 (GMT)
From:      Robert Watson <rwatson@freebsd.org>
To:        Jesper Wallin <jesper@hackunite.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Is my Apache server running as the root user or not?
Message-ID:  <Pine.NEB.3.96L.1041204184422.607M-100000@fledge.watson.org>
In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sat, 4 Dec 2004, Jesper Wallin wrote:

> 
> By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my
> Apache is running as the user "www" and the group "www" .. Yet, when I
> run sockstat, it tells me one of the forks are runned as root and
> listening on port 80 as well as the other forks are runned by www:www..
> If I got a lot of users connecting to my server on port 80, will thier
> requests ever be answered by the root fork or the www:www forks? 

As other posts have pointed out, Apache runs initially as root in order to
bind a privileged port.  What hasn't be mentioned explicitly is that the
credential of the process creating the initial socket is cached at
creation time, and that credential is what is later reported.  The
credential is inheritted by any sockets accepted from a listen socket, so
that credential keeps being used.  Since there isn't a 1:1 mapping
ofsockets to processes, or even a many:1 mapping, there's not really any
other credential around that "makes sense" to report.

You can tweak the OS policy on what id's can bind what ports using sysctl;
the ip(4) man page has details.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Principal Research Scientist, McAfee Research


> 
> --- snip ---
> [root@ninja:~]# sockstat -l4p80
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS www      httpd
>      18149 3  tcp4   *:80                  *:*
> www      httpd      18148 3  tcp4   *:80                  *:*
> www      httpd      18147 3  tcp4   *:80                  *:*
> www      httpd      14055 3  tcp4   *:80                  *:*
> www      httpd      14054 3  tcp4   *:80                  *:*
> www      httpd      14053 3  tcp4   *:80                  *:*
> www      httpd      14052 3  tcp4   *:80                  *:*
> www      httpd      14051 3  tcp4   *:80                  *:*
> root     httpd      14050 3  tcp4   *:80                  *:*
> [root@ninja:~]#
> --- snip ---
> 
> 
> Best regards,
> Jesper Wallin
> 
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1041204184422.607M-100000>