Hi Alfred, Alfred Morgan wrote on Tue, Mar 19, 2019 at 08:05:33AM -0500:
> I tried starting a temporary httpd server on port 8080 > as a user to serve some files and I found this error: > httpd: need root privileges > > I would think there would be value in letting httpd be run > by standard users. For security reasons, you absolutely do *not* want that. You do not want to run a network daemon as your normal login user. If the network daemon contained a bug, remote attackers might read or modify the private files of your local user. You really want the network daemon to run as a *dedicated* user which doesn't have access to resources it doesn't need. On OpenBSD, that low-privileged user is called "www": $ ps -Ao user,command | grep [h]ttpd www httpd: server (httpd) root /usr/sbin/httpd www httpd: server (httpd) www httpd: logger (httpd) www httpd: server (httpd) This is *privilege separation*. In particular, you want the "logger" process and the "server" processes chroot(2)ed and setresuid(2)ed to www, see proc.c, proc_run(), all of which requires root privileges to set up. Starting up a network daemon without root privileges would be inherently insecure. Yours, Ingo
