I think you would need to elaborate on that statement. Frankly I can see a few differences, but I am not sure whether those are what you were thinking about. Apache also does a chuid/chgid effectively changing the UID/GID of the process to something which is hopefully not privileged.
Whether Apache is started with sudo or is suid root, anyone able start an Apache instance with the configuration of his/her choice can do bad things on the server. The main advantage about sudo I can think of is that it at least allows you to restrict who is allowed to execute Apache with root priveleges. On the other hand you could apply the same restrictions using file system access control lists. On a server with many users of which only a few are allowed to start Apache with root privileges, there is definitely an advantage to sudo. -ascs -----Message d'origine----- De : Christian Folini [mailto:[EMAIL PROTECTED] Envoyé : jeudi 8 novembre 2007 11:10 À : users@httpd.apache.org Objet : Re: [EMAIL PROTECTED] apache as non-root On Thu, Nov 08, 2007 at 11:00:10AM +0100, Krist van Besien wrote: > > Sounds like a task for "sudo". > > Another option is making the httpd executable suid root. Ouch. Starting a webserver on port 80 as a normal user is not a good thing. Sudo helps to limit the security breach somewhat if you really have to. Setting the suid flag is a lot worse securitywise. A lot. regs, Christian > -- > [EMAIL PROTECTED] > [EMAIL PROTECTED] > Bremgarten b. Bern, Switzerland Bern, Switzerland --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
