Re: Port scan from Apache?

Danil V. Gerun <danil@sochiwater.ru> wrote:
 > BTW, isn't it impossible for Apache (if it's running from non-root)
 > to make connections from his port 80?

Normally Apache doesn't make connections (unless you use
mod_proxy, and in that case it doesn't use port 80 as the
source port).  It rather accepts connections to its port
80.

However, the process of bind(2)ing to port 80 in order to
accept connections to it is -- by default -- limited to
processes with root privileges.  There are several ways
that can be accomplished without actually running the
Apache server processes as root:

1. Usually you start Apache as root, then it bind(2)s to
   port 80, then it changes its UID to some other, non-
   privileged user (retaining the binding to port 80),
   and then it uses listen(2)/accept(2) to accept connec-
   tions.  That's the default setup, so most people use
   it.

2. You can start Apache as non-root right from the start
   and have it listen to some non-privileged port, e.g.
   8080.  If you don't want to force all users to enter
   that port number in the URLs all the time, you can use
   NAT to rewrite ports, and/or install a local forwarding
   rule (e.g. using IPFW) to forward packets destined for
   port 80 to port 8080.

3. FreeBSD offers the ability to change the range of ports
   that are considered privileged, using two sysctls.  See
   the ip(4) manpage for details (and warnings).  That way
   you can allow non-root processes to bind to ports below
   1024 (e.g. 80), if you're willing to accept the risks.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Python is an experiment in how much freedom programmers need.
Too much freedom and nobody can read another's code; too little
and expressiveness is endangered."
        -- Guido van Rossum
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"