看板 FB_security 關於我們 聯絡資訊
發信人rwatson@freebsd.org (Robert Watson),
看板FB_security
標 題Re: Is my Apache server running as the root user or not?
發信站NCTU CSIE FreeBSD Server (Sun Dec 5 02:47:07 2004)
轉信站ptt!FreeBSD.csie.NCTU!not-for-mail
On Sat, 4 Dec 2004, Jesper Wallin wrote: > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my > Apache is running as the user "www" and the group "www" .. Yet, when I > run sockstat, it tells me one of the forks are runned as root and > listening on port 80 as well as the other forks are runned by www:www.. > If I got a lot of users connecting to my server on port 80, will thier > requests ever be answered by the root fork or the www:www forks? As other posts have pointed out, Apache runs initially as root in order to bind a privileged port. What hasn't be mentioned explicitly is that the credential of the process creating the initial socket is cached at creation time, and that credential is what is later reported. The credential is inheritted by any sockets accepted from a listen socket, so that credential keeps being used. Since there isn't a 1:1 mapping ofsockets to processes, or even a many:1 mapping, there's not really any other credential around that "makes sense" to report. You can tweak the OS policy on what id's can bind what ports using sysctl; the ip(4) man page has details. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"