[5007] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Phillip M Hallam-Baker)
Wed Apr 9 17:14:02 1997
From: "Phillip M Hallam-Baker" <hallam@ai.mit.edu>
To: <ben@algroup.co.uk>
Cc: <ben@algroup.co.uk>, <petrilli@amber.org>, <riddle@is.rice.edu>,
<rjc@n2k.com>, <www-security@ns2.rutgers.edu>
Date: Wed, 9 Apr 1997 12:11:27 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
> It doesn't by _me_ that - I've already audited the code! But I'll agree
that
> it buys other people who don't trust me that.
Probably not to the extent of a formal proof :-)
> These things have been considered, yes.
Have you considered _everything_ - including the things you haven't
considered.
> Agreed. But Apache does need to run as root if you want to open port 80
(or
> any other low numbered port), as you well know.
If you run Linux I would suggest patching the TCP/IP stack to remove this
restriction, allowing processes in a group INET to connect to low numbered
ports.
Phill
