Date: Wed, 19 Jul 2006 22:29:10 +1000 From: Nick Withers <nick@nickwithers.com> To: freebsd-security@FreeBSD.ORG Cc: olli@lurza.secnetix.de, danil@sochiwater.ru Subject: Re: Port scan from Apache? Message-ID: <20060719222910.317468e0.nick@nickwithers.com> In-Reply-To: <200607190734.k6J7Yk6J036446@lurza.secnetix.de> References: <44BDCD73.9030508@sochiwater.ru> <200607190734.k6J7Yk6J036446@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Jul 2006 09:34:46 +0200 (CEST) Oliver Fromme <olli@lurza.secnetix.de> wrote: > Danil V. Gerun <danil@sochiwater.ru> wrote: > > BTW, isn't it impossible for Apache (if it's running from non-root) > > to make connections from his port 80? > > Normally Apache doesn't make connections (unless you use > mod_proxy, and in that case it doesn't use port 80 as the > source port). It rather accepts connections to its port > 80. > > However, the process of bind(2)ing to port 80 in order to > accept connections to it is -- by default -- limited to > processes with root privileges. There are several ways > that can be accomplished without actually running the > Apache server processes as root: > > 1. Usually you start Apache as root, then it bind(2)s to > port 80, then it changes its UID to some other, non- > privileged user (retaining the binding to port 80), > and then it uses listen(2)/accept(2) to accept connec- > tions. That's the default setup, so most people use > it. > > 2. You can start Apache as non-root right from the start > and have it listen to some non-privileged port, e.g. > 8080. If you don't want to force all users to enter > that port number in the URLs all the time, you can use > NAT to rewrite ports, and/or install a local forwarding > rule (e.g. using IPFW) to forward packets destined for > port 80 to port 8080. > > 3. FreeBSD offers the ability to change the range of ports > that are considered privileged, using two sysctls. See > the ip(4) manpage for details (and warnings). That way > you can allow non-root processes to bind to ports below > 1024 (e.g. 80), if you're willing to accept the risks. Just thought I'd point out one particularly nifty thing you can do to alleviate said risks: Use the MAC portacl module. You can, for instance, specify that the Apache HTTPD user specifically is allowed to bind to port 80. How cool's that??? :-) > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Python is an experiment in how much freedom programmers need. > Too much freedom and nobody can read another's code; too little > and expressiveness is endangered." > -- Guido van Rossum > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060719222910.317468e0.nick>