From owner-freebsd-security@FreeBSD.ORG Wed Jul 19 12:29:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFEF116A4DE for ; Wed, 19 Jul 2006 12:29:28 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ED4D43D5C for ; Wed, 19 Jul 2006 12:29:24 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.252]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id 92A513A9C5; Wed, 19 Jul 2006 22:29:10 +1000 (EST) Date: Wed, 19 Jul 2006 22:29:10 +1000 From: Nick Withers To: freebsd-security@FreeBSD.ORG Message-Id: <20060719222910.317468e0.nick@nickwithers.com> In-Reply-To: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> References: <44BDCD73.9030508@sochiwater.ru> <200607190734.k6J7Yk6J036446@lurza.secnetix.de> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: olli@lurza.secnetix.de, danil@sochiwater.ru Subject: Re: Port scan from Apache? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 12:29:28 -0000 On Wed, 19 Jul 2006 09:34:46 +0200 (CEST) Oliver Fromme wrote: > Danil V. Gerun wrote: > > BTW, isn't it impossible for Apache (if it's running from non-root) > > to make connections from his port 80? > > Normally Apache doesn't make connections (unless you use > mod_proxy, and in that case it doesn't use port 80 as the > source port). It rather accepts connections to its port > 80. > > However, the process of bind(2)ing to port 80 in order to > accept connections to it is -- by default -- limited to > processes with root privileges. There are several ways > that can be accomplished without actually running the > Apache server processes as root: > > 1. Usually you start Apache as root, then it bind(2)s to > port 80, then it changes its UID to some other, non- > privileged user (retaining the binding to port 80), > and then it uses listen(2)/accept(2) to accept connec- > tions. That's the default setup, so most people use > it. > > 2. You can start Apache as non-root right from the start > and have it listen to some non-privileged port, e.g. > 8080. If you don't want to force all users to enter > that port number in the URLs all the time, you can use > NAT to rewrite ports, and/or install a local forwarding > rule (e.g. using IPFW) to forward packets destined for > port 80 to port 8080. > > 3. FreeBSD offers the ability to change the range of ports > that are considered privileged, using two sysctls. See > the ip(4) manpage for details (and warnings). That way > you can allow non-root processes to bind to ports below > 1024 (e.g. 80), if you're willing to accept the risks. Just thought I'd point out one particularly nifty thing you can do to alleviate said risks: Use the MAC portacl module. You can, for instance, specify that the Apache HTTPD user specifically is allowed to bind to port 80. How cool's that??? :-) > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Python is an experiment in how much freedom programmers need. > Too much freedom and nobody can read another's code; too little > and expressiveness is endangered." > -- Guido van Rossum > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446