On Thu, 2004-07-08 at 21:56, Jorge Fábregas wrote: > On Thursday 08 July 2004 8:16 pm, Alan Horn wrote: > > > You should never _RUN_ the webserver as root > > Hi, > > How then you make Apache listen to port 80 (a port below 1024) as another user > other than root? ..since only root may use those ports below 1024. > > Jorge > No, the daemon is started as root, but spawns child processes that drop root privileges and run as apache. see below: root 10718 8.7 1.8 23504 9704 ? S 08:45 0:00 /usr/sbin/httpd apache 10721 0.0 1.8 23504 9724 ? S 08:45 0:00 /usr/sbin/httpd apache 10722 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10723 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10724 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10725 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10726 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10727 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd apache 10728 0.0 1.8 23504 9720 ? S 08:45 0:00 /usr/sbin/httpd r The first is the parent that initially launches the process (the 'queen') and runs as root. The others are the worker bees that handle all requests, and the parent never handles an incoming request. All the workers run as apache, only the 'queen' runs as root and all that process does is monitor and control the others. The ones running as apache handle all requests and if they get compromised, they only have the privileges of the user apache.
