Menu
▾
▴
[ naviserver-Feature Requests-1120023 ] Allow to start server under root privilges
|
From: SourceForge.net <no...@so...> - 2005-02-26 13:26:51
|
Feature Requests item #1120023, was opened at 2005-02-10 14:30 Message generated for change (Comment added) made by vasiljevic You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=719009&aid=1120023&group_id=130646 Category: None Group: None >Status: Closed Resolution: None Priority: 5 Submitted By: Zoran Vasiljevic (vasiljevic) Assigned to: Zoran Vasiljevic (vasiljevic) Summary: Allow to start server under root privilges Initial Comment: Before all of you freak out, read please :-) Currently the server will just complain if you attempt to start it as root. However, we do need to do this. Our app is actually a backup/archive and server-synchronize product and it needs to access all files on the server and do something with them. For this to work, I had to manually disable checking for user/group of 0/0 during the startup. Now, my idea is to allow compile-time option which would control this, like for example --enable-rootuser or similar. I think Apache build allows you to do this (at least it did when I worked with Apache for the last time, about 6 years ago). Default would be to *not* allow server to be started as root, which is what we have now. This can be #ifdef ALLOW_ROOT_USER #endif at one place in the nsmain.c. Any thoughts? ---------------------------------------------------------------------- >Comment By: Zoran Vasiljevic (vasiljevic) Date: 2005-02-26 14:26 Message: Logged In: YES user_id=95086 Added in CVS. Closing this RFE. ---------------------------------------------------------------------- Comment By: Zoran Vasiljevic (vasiljevic) Date: 2005-02-11 21:50 Message: Logged In: YES user_id=95086 Allright for me. As soon as cvs is in place I will add this. ---------------------------------------------------------------------- Comment By: Vlad Seryakov (seryakov) Date: 2005-02-11 15:02 Message: Logged In: YES user_id=184124 That's okay with me ---------------------------------------------------------------------- Comment By: Stephen Deasey (sdeasey) Date: 2005-02-11 04:50 Message: Logged In: YES user_id=87254 I think thttpd works like this. A lot of it's config settings are compile time only options (you actually have to hack the makefile). But Vlad makes a good point: If some one asks to run as root maybe we should just respect that. I'm not sure about running as user 'nobody' as default though. I think that is an apache specific user, created when you install that package. It might not always exist. Also, if all daemons run as 'nobody' then you're really not increasing security, because a flaw in one exposes the data of all the others rather than contain it. I would suggest the following: You *have* to supply the user to switch to on the command line. If you don't, the server complains and exits. You may specify root, in which case we log a warning message but respect your wishes and continue. Specifying any other user works as before. I would be happy with something like that. Sound OK? ---------------------------------------------------------------------- Comment By: Zoran Vasiljevic (vasiljevic) Date: 2005-02-10 18:18 Message: Logged In: YES user_id=95086 You mean: no user given -> run as nobody (65534 or whatever uid nobody is) user given -> run as this user, whatever the user (might be root, uid=0) OK. No problems for me. This is even simpler. If nobody objects, I will make this change. ---------------------------------------------------------------------- Comment By: Vlad Seryakov (seryakov) Date: 2005-02-10 16:25 Message: Logged In: YES user_id=184124 I have no problem with that, if want NS to be more versatile than just webserver we will have to run it as root for some tasks, so i would suggest event more radical solution, if root given as id on the command line, run it as root, if nothing given via command line, switch to default nobody if root. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=719009&aid=1120023&group_id=130646 |
