Thinking about a future web server setup, it struck me that for some reason web servers usually start as root and then drop certain rights (setuid
) for the worker processes. In addition there is often chroot
involved, which isn't exactly meant as a security measure.
What I was wondering, why can web servers (I have administrated everything from Apache, lighttpd to nginx) not use the capability system (capabilities(7)
), such as CAP_NET_BIND_SERVICE
, on Linux and simply start as non-root user? ... this way still listening on a privileged port below 1024.
Or better, I think most of them could, but why isn't that common practice? Why not ...
- use
setcap(8)
withCAP_NET_BIND_SERVICE
on the binary being run? - set up the log folders to allow the (non-root) user to write there
- ..., if you felt like
chroot
helps at all, usechroot
orlxc
to "jail" the web server?
There is nothing other than (worker) child process may kill parent that I could come up with that would make this less beneficial than starting outright as root
.
So why are they traditionally being started as root when afterwards everything is done to get rid of implied security issues that come with it?
nginx
orwww-data
) should own said file. So that's not a good reason at all. And it was named before in an answer. – 0xC0000022L Aug 16 '18 at 08:15