Freeside installation problem

Neal Rigney neal at pernet.net
Thu Mar 26 09:30:44 PST 1998 

Actually, I think apache is root to open port 80, then immediately changes
to the user specified in the configuration.  apachesuid switches back to
root in order to switch users to the user that owns the script.  It's
extremely safe(the code ONLY switches users, and is very short).

As far as I'm aware, the root apache never actually looks at port 80.  Only
the children do.

Here's a ps from our web server(abreviated):
root     23958  0.0  2.2   808  664  ??  Ss   12Mar98    5:08.61 ./httpd
httpd     4967  0.0  3.1   836  952  ??  S     9:44AM    0:00.10 ./httpd
httpd     5079  0.0  3.4   868 1044  ??  S    10:02AM    0:00.28 ./httpd
...

--
Neal Rigney, PERnet Communications, (409)729-4638
neal at mail.pernet.net
"I've seen better bandwidth between two gorillas with flash cards!"
-----Original Message-----
From: Ivan Kohler <ivan at sisd.com>
To: News Subsystem <news at bmccane.maxbaud.net>
Cc: {/// Don Spence \} <don at ultimanet.com>; ivan-freeside at sisd.com
<ivan-freeside at sisd.com>
Date: Thursday, March 26, 1998 12:59 AM
Subject: Re: Freeside installation problem


>-----BEGIN PGP SIGNED MESSAGE-----
>
>On Wed, 25 Mar 1998, News Subsystem wrote:
>
>> On Thu, 26 Mar 1998, Ivan Kohler wrote:
>>
>> > You may also want to take a look at the suExec feature of Apache, which
>> > appears to provide similar functionality - it executes scripts as the
>> > owner of the script (thus the setuid bit would not be needed).  I
haven't
>> > tried this myself.
>> >
>> I believe that it is necessary to have apache running as root in order to
>> use the suExec feature.  This is a major security problem, much worse
>> that setting the suid bit on a users files.
>
>The documentation (specificly suexec.html from the manual) seems to
>indicate that the suexec wrapper itself is setuid root, but that apache
>does not run as root.  I would guess that given Apache's popularity (and
>wide distribution of source code :) ), a correctly installed suexec should
>be fairly safe.
>
>- --
>Ivan Kohler <ivan at sisd.com> - finger for PGP key
>Silicon Interactive Software Design - http://www.sisd.com/
>"I want to go on a mountain-top / with a radio and good batteries
> play a joyous tune / and free the whole human race from suffering" -Bjork
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNRoImr7OPBeQJv09AQGE/wP9FRrIdUeGi+aFRLoTi1V0GLt0QUpuYa0K
>xoIxnv5V6KSnMcDkte+noB+2sDQiXd050yRlyYX3Bm9eHgkTra7dLwoPRC+tn3BR
>06Ly0mvLDJIsacd7fkuevSnzo4LBH0IAuupW3WGeyho7vtiymdaCpNI5W8i7EII5
>VNw46eWwyIQ=
>=JAPh
>-----END PGP SIGNATURE-----
>

More information about the freeside-users mailing list