> -----Original Message-----
> From: chris [mailto:chris ia.gov]
> Sent: Tuesday, November 06, 2007 4:20 PM
> To: usershttpd.apache.org
> Subject: Re: [usershttpd] apache as non-root
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A work around, sort of:
>
> If you are using an OS with the ability to port forward
(iptables on
> linux for example) you can create rules to forward the
port 80
> connection to a high port (say 8080) that the
non-root-user apache
> instance is listening on.
>
> You end up listening on two ports, but you get the
desired effect of
> having a totally user owned (startable stoppable
without ever being
> root) apache instance that is accessible via port 80.
This is a clever "work-around", but for the
record, it is worth pointing
out what you are sacrificing here:
The behaviour that the OP is trying to defeat (non-root
can't listen on
ports < 1024) is there for a good reason - security. By
forwarding the
trusted port 80 traffic to a port belonging to a plain user,
you bypass
that security mechanism. It basically means that an
un-privileged user
controls the HTTP server, while an external client thinks
he's talking
to a root-owned process.
This might be OK if the OP has a research or test
environment but it's a
but flaky for the real world. It's a bit like a boss letting
his
secretary read and reply to his e-mails using his signature.
Fine - so
long as he trusts his secretary 
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be
ignored.
>
> chris
>
>
> Melanie Pfefer wrote:
> > thanks. But any workaround?
> > thanks.
> > --- Tony Stevenson <tonypc-tony.com> wrote:
> >
> >> Melanie Pfefer wrote:
> >>> hi
> >>>
> >>> I modified user in httpd.conf but as long
as the
> >> port
> >>> number is 80, only root can start apache.
> >> subsequent
> >>> process will be run as non-root.
> >> This is expected behaviour.
> >>
> >>> any idea how to allow this user to start
apache?
> >> To start Apache on port 80, you need root
level
> >> access as these are
> >> privilged ports.
> >>
> >> You can user another account, but the port has
to be
> >>> 1024.
> >>
> >> Tony
> >>
> >
> >
> >
> >
___________________________________________________________
> > Want ideas for reducing your carbon footprint?
Visit Yahoo!
> For Good http://uk.promotions.yahoo.com/forgood/environment.html
> >
> >
>
------------------------------------------------------------
---------
> > The official User-To-User support forum of the
Apache HTTP
> Server Project.
> > See <URL:http://htt
pd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
> > " from the digest:
users-digest-unsubscribehttpd.apache.org
> > For additional commands, e-mail: users-helphttpd.apache.org
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>
iD8DBQFHMIY8tqidmIdniVgRAjtMAJoCM37rSapVIHec8t7tm/QKeqT9ZQCe
Lskc
> yS2/8s/BLWdB13rzY9ZEz7M=
> =2F1K
> -----END PGP SIGNATURE-----
>
>
------------------------------------------------------------
---------
> The official User-To-User support forum of the Apache
HTTP
> Server Project.
> See <URL:http://htt
pd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
> " from the digest:
users-digest-unsubscribehttpd.apache.org
> For additional commands, e-mail: users-helphttpd.apache.org
>
This message is for the named person's use only. It may
contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or
lost by any mistransmission. If you receive this message in
error, please notify the sender urgently and then
immediately delete the message and any copies of it from
your system. Please also immediately destroy any hardcopies
of the message. You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this
message if you are not the intended recipient. The sender's
company reserves the right to monitor all e-mail
communications through their networks. Any views expressed
in this message are those of the individual sender, except
where the message states otherwise and the sender is
authorised to state them to be the views of the sender's
company.
------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
" from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org
|