Heya.. By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me one of the forks are runned as root and listening on port 80 as well as the other forks are runned by www:www.. If I got a lot of users connecting to my server on port 80, will thier requests ever be answered by the root fork or the www:www forks? --- snip --- [root@ninja:~]# sockstat -l4p80 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd 18149 3 tcp4 *:80 *:* www httpd 18148 3 tcp4 *:80 *:* www httpd 18147 3 tcp4 *:80 *:* www httpd 14055 3 tcp4 *:80 *:* www httpd 14054 3 tcp4 *:80 *:* www httpd 14053 3 tcp4 *:80 *:* www httpd 14052 3 tcp4 *:80 *:* www httpd 14051 3 tcp4 *:80 *:* root httpd 14050 3 tcp4 *:80 *:* [root@ninja:~]# --- snip --- Best regards, Jesper Wallin
Clement Laforet
2004-Dec-04 03:13 UTC
Is my Apache server running as the root user or not?
On Sat, 4 Dec 2004 07:24:27 +0100 (CET) "Jesper Wallin" <jesper@hackunite.net> wrote:> Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that > my Apache is running as the user "www" and the group "www" .. Yet, > when I run sockstat, it tells me one of the forks are runned as root > and listening on port 80 as well as the other forks are runned by > www:www.. If I got a lot of users connecting to my server on port 80, > will thier requests ever be answered by the root fork or the www:www > forks?Process owned by root is the parent process. It doesn't actually handled connections, only sets up socket(s) at initialization stage. Children processes (owned by your User/Group settings) accept new connections and deal with the requests. Since you need to be root be able to bind on port 80, parent process is owned by root. clem --
Hi, Apache has to be started as root, because it needs to bind to port 80 (ie. <1024). But this process doesn't serve clients, it only forks and then the id of forked process is changed to www and then it can serve clients... Jesper Wallin wrote:> Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is > running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me > one of the forks are runned as root and listening on port 80 as well as the other forks > are runned by www:www.. If I got a lot of users connecting to my server on port 80, will > thier requests ever be answered by the root fork or the www:www forks? > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >-- # If it happens once, it's a bug. # If it happens twice, it's a feature. # If it happens more then twice, it's a design philosophy.
This isn't on-topic for the list, but I'll answer it anyway. The Apache parent runs as root so that it can attach to port 80. After a packet reaches port 80, Apache will hand it off to a child process running as www. The parent process also does other housekeeping duties as you would expect from any other parent process. On Sat, Dec 04, 2004 at 07:24:27AM +0100, Jesper Wallin wrote:> Heya.. > > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my Apache is > running as the user "www" and the group "www" .. Yet, when I run sockstat, it tells me > one of the forks are runned as root and listening on port 80 as well as the other forks > are runned by www:www.. If I got a lot of users connecting to my server on port 80, will > thier requests ever be answered by the root fork or the www:www forks? > > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"-- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/
On Sat, 4 Dec 2004, Jesper Wallin wrote:> > By reading my /usr/local/etc/apache2/httpd.conf, I can find out that my > Apache is running as the user "www" and the group "www" .. Yet, when I > run sockstat, it tells me one of the forks are runned as root and > listening on port 80 as well as the other forks are runned by www:www.. > If I got a lot of users connecting to my server on port 80, will thier > requests ever be answered by the root fork or the www:www forks?As other posts have pointed out, Apache runs initially as root in order to bind a privileged port. What hasn't be mentioned explicitly is that the credential of the process creating the initial socket is cached at creation time, and that credential is what is later reported. The credential is inheritted by any sockets accepted from a listen socket, so that credential keeps being used. Since there isn't a 1:1 mapping ofsockets to processes, or even a many:1 mapping, there's not really any other credential around that "makes sense" to report. You can tweak the OS policy on what id's can bind what ports using sysctl; the ip(4) man page has details. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research> > --- snip --- > [root@ninja:~]# sockstat -l4p80 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www httpd > 18149 3 tcp4 *:80 *:* > www httpd 18148 3 tcp4 *:80 *:* > www httpd 18147 3 tcp4 *:80 *:* > www httpd 14055 3 tcp4 *:80 *:* > www httpd 14054 3 tcp4 *:80 *:* > www httpd 14053 3 tcp4 *:80 *:* > www httpd 14052 3 tcp4 *:80 *:* > www httpd 14051 3 tcp4 *:80 *:* > root httpd 14050 3 tcp4 *:80 *:* > [root@ninja:~]# > --- snip --- > > > Best regards, > Jesper Wallin > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >