From owner-freebsd-security@FreeBSD.ORG Sat Dec 4 18:49:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96B5D16A4CE for ; Sat, 4 Dec 2004 18:49:32 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27C5243D70 for ; Sat, 4 Dec 2004 18:49:32 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id iB4IlFwB031291; Sat, 4 Dec 2004 13:47:15 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)iB4IlFwa031288; Sat, 4 Dec 2004 18:47:15 GMT (envelope-from robert@fledge.watson.org) Date: Sat, 4 Dec 2004 18:47:15 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesper Wallin In-Reply-To: <1164.213.112.198.152.1102141467.squirrel@mail.hackunite.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Is my Apache server running as the root user or not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 18:49:32 -0000 On Sat, 4 Dec 2004, Jesper Wallin wrote: > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my > Apache is running as the user "www" and the group "www" .. Yet, when I > run sockstat, it tells me one of the forks are runned as root and > listening on port 80 as well as the other forks are runned by www:www.. > If I got a lot of users connecting to my server on port 80, will thier > requests ever be answered by the root fork or the www:www forks? As other posts have pointed out, Apache runs initially as root in order to bind a privileged port. What hasn't be mentioned explicitly is that the credential of the process creating the initial socket is cached at creation time, and that credential is what is later reported. The credential is inheritted by any sockets accepted from a listen socket, so that credential keeps being used. Since there isn't a 1:1 mapping ofsockets to processes, or even a many:1 mapping, there's not really any other credential around that "makes sense" to report. You can tweak the OS policy on what id's can bind what ports using sysctl; the ip(4) man page has details. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >