Port scan from Apache?
Oliver Fromme
olli at lurza.secnetix.de
Wed Jul 19 07:34:54 UTC 2006
Danil V. Gerun <danil at sochiwater.ru> wrote:
> BTW, isn't it impossible for Apache (if it's running from non-root)
> to make connections from his port 80?
Normally Apache doesn't make connections (unless you use
mod_proxy, and in that case it doesn't use port 80 as the
source port). It rather accepts connections to its port
80.
However, the process of bind(2)ing to port 80 in order to
accept connections to it is -- by default -- limited to
processes with root privileges. There are several ways
that can be accomplished without actually running the
Apache server processes as root:
1. Usually you start Apache as root, then it bind(2)s to
port 80, then it changes its UID to some other, non-
privileged user (retaining the binding to port 80),
and then it uses listen(2)/accept(2) to accept connec-
tions. That's the default setup, so most people use
it.
2. You can start Apache as non-root right from the start
and have it listen to some non-privileged port, e.g.
8080. If you don't want to force all users to enter
that port number in the URLs all the time, you can use
NAT to rewrite ports, and/or install a local forwarding
rule (e.g. using IPFW) to forward packets destined for
port 80 to port 8080.
3. FreeBSD offers the ability to change the range of ports
that are considered privileged, using two sysctls. See
the ip(4) manpage for details (and warnings). That way
you can allow non-root processes to bind to ports below
1024 (e.g. 80), if you're willing to accept the risks.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"Python is an experiment in how much freedom programmers need.
Too much freedom and nobody can read another's code; too little
and expressiveness is endangered."
-- Guido van Rossum
More information about the freebsd-security
mailing list