Port scan from Apache?

Nick Withers nick at nickwithers.com
Wed Jul 19 12:29:28 UTC 2006 

On Wed, 19 Jul 2006 09:34:46 +0200 (CEST)
Oliver Fromme <olli at lurza.secnetix.de> wrote:

> Danil V. Gerun <danil at sochiwater.ru> wrote:
>  > BTW, isn't it impossible for Apache (if it's running from non-root)
>  > to make connections from his port 80?
> 
> Normally Apache doesn't make connections (unless you use
> mod_proxy, and in that case it doesn't use port 80 as the
> source port).  It rather accepts connections to its port
> 80.
> 
> However, the process of bind(2)ing to port 80 in order to
> accept connections to it is -- by default -- limited to
> processes with root privileges.  There are several ways
> that can be accomplished without actually running the
> Apache server processes as root:
> 
> 1. Usually you start Apache as root, then it bind(2)s to
>    port 80, then it changes its UID to some other, non-
>    privileged user (retaining the binding to port 80),
>    and then it uses listen(2)/accept(2) to accept connec-
>    tions.  That's the default setup, so most people use
>    it.
> 
> 2. You can start Apache as non-root right from the start
>    and have it listen to some non-privileged port, e.g.
>    8080.  If you don't want to force all users to enter
>    that port number in the URLs all the time, you can use
>    NAT to rewrite ports, and/or install a local forwarding
>    rule (e.g. using IPFW) to forward packets destined for
>    port 80 to port 8080.
> 
> 3. FreeBSD offers the ability to change the range of ports
>    that are considered privileged, using two sysctls.  See
>    the ip(4) manpage for details (and warnings).  That way
>    you can allow non-root processes to bind to ports below
>    1024 (e.g. 80), if you're willing to accept the risks.

Just thought I'd point out one particularly nifty thing you can
do to alleviate said risks: Use the MAC portacl module. You
can, for instance, specify that the Apache HTTPD user
specifically is allowed to bind to port 80.

How cool's that??? :-)

> Best regards
>    Oliver
> 
> -- 
> Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
> Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
> 
> "Python is an experiment in how much freedom programmers need.
> Too much freedom and nobody can read another's code; too little
> and expressiveness is endangered."
>         -- Guido van Rossum
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"


-- 
Nick Withers
email: nick at nickwithers.com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

More information about the freebsd-security mailing list