dean gaudet <dean-list-linux-kernel@arctic.org> writes:
> On 15 Jan 2002, Olaf Dietsche wrote:
>
> > For example, you can say, user www is allowed to bind to port 80 or
> > user mail is allowed to bind to port 25. Then, you can run apache as
> > user www and sendmail as user mail. Now, you don't have to rely on
> > apache or sendmail giving up superuser rights to enhance security.
>
> typically logging must also occur as some other user than what the daemon
> runs as, or else your logs are suspect in any sort of break-in. this is
> no problem for stuff using syslog, but since that's not the default
> configuration for apache you might want to put a note in any docs you end
> up including. one suggestion is piped logging through a setuid logger
> (setuid to user wwwlogs or something, root not required).
Right. But that's user space and shouldn't impact the kernel/accessfs.
Or did I miss something?
Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jan 23 2002 - 21:00:16 EST