start services without root

[zombykillah]

Hi,
I've a little Server and wanna start the services (postfix, apache, etc.) without root.
My problem is, that I've installed GroupOffice and I allways got errors about permisions in some folder.
When I took a look, some of the folder the apache created were from root some from www-data.
After some searches in the Internet I've read that only the root user is allowed to start a Service at Ports 1-1024 or something like that...

I've already searched for programs which give the rights to the applications / unlocks them with root for a certain application ... but I've no more idea what words to search for.

Where is that **itt implemented?
Is it possible to disable that?

How can I start the services without giving them root privileges?!
It's a security issue after all.

[Irithori]

Apache does drop root privileges for actual content serving.
You can define, which uid/gid the childs will have.

And apache does not create directories.
Whatever of your directories have false permissions,
either they were already that way,
or some cronjob sets the permissions,
or some sync process sets them,
or some other application, probably in php/perl/etc does.

My advise would be to carefully plan what data is needed by which daemon/process and set the user/group permissions accordingly.

And btw:
Going against a basic concept of unix is a bit on the bold side.

[zombykillah]

And apache does not create directories.

All theses folders were created by the same php scripts within some min. most folders owner were www-data, some folders were owned by root.
The only way I can explain it is that the apache with the root privileges started the php scripts ... meaning it is content serving
I'm going to write my own script for just testing that and the amount how often it happens.

EDIT START
Just done so, my own scipt just creates www-data owned folders, so my assumption that the error lies within the apache with root privileges was wrong.
I am going to look deeper into these php scripts.
EDIT END

? Could it be a problem within the apache settings? do I need to set something so he drops the root rights?

My advise would be to carefully plan what data is needed by which daemon/process and set the user/group permissions accordingly.

Wouldn't be of any use if a bug within apache can grant full root privileges.

There's the same problem with all the other applications that start on ports below 1000 each one with possible bugs, some of them aren't even starting child's.

Can you please tell me the reason why these Ports got this restriction?

[Irithori]

The logic is this:
- ports 1-1024 are "well-known". As you know, http is port 80.
- only one process can bind to a IP/port combination
- so this is a rare ressource
- unix are multi-user operating systems
If these ports were not restricted to root, one could imagine users fight over this ressource.

But I do admit, in todays world, where everyone and his uncle binds ports at will and even dynamically, this particular concept has lost a bit of its meaning.


Please recheck your setup.
I am certain, that a apache driven php does not have root rights.
Apache will use its root privileges to
- bind to ports 80/443
- open/write logfiles
- fork childs with another uid/gid

These childs will then serve content, execute php scripts, etc

[Irithori]

Hmm, these root owned files/directories..
Could it be, that they were created by -for example- a root cronjob?
Other possibilities:
- a scp/rsync/ftp/nfs that writes with root
- another process, running as root.

[zombykillah]

Hmmm I tried to create a bunch of folder and delete them, everything worked.
It's possible that all that wrong folder were created during the setup ... not the installation because the folder where these Folders are located is told to the program during the setup with a php script.

However ... since it doesn't seem to happen anymore I am fine with just changing the owner of a few directories...

What I don't get is why just a few sub-directories were owned by root.
Out of 10 Folders 2 were root owned ... not the main folders but sub-folders ... that's what I don't get ...
however I won't be able to find a bug that isn't happening anymore ... I'll take a closer look when I set this up a next time.

Thanks for the Information you gave me, it's much appreciated.