> For example, you can say, user www is allowed to bind to port 80 or
> user mail is allowed to bind to port 25. Then, you can run apache as
> user www and sendmail as user mail. Now, you don't have to rely on
> apache or sendmail giving up superuser rights to enhance security.
typically logging must also occur as some other user than what the daemon
runs as, or else your logs are suspect in any sort of break-in. this is
no problem for stuff using syslog, but since that's not the default
configuration for apache you might want to put a note in any docs you end
up including. one suggestion is piped logging through a setuid logger
(setuid to user wwwlogs or something, root not required).
-dean
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/