Thinking about a future web server setup, it struck me that for some reason web servers usually start as root and then drop certain rights (setuid) for the worker processes. In addition there is often chroot involved, which isn't exactly meant as a security measure.
What I was wondering, why can web servers (I have administrated everything from Apache, lighttpd to nginx) not use the capability system (capabilities(7)), such as CAP_NET_BIND_SERVICE, on Linux and simply start as non-root user? … this way still listening on a privileged port below 1024.
Or better, I think most of them could, but why isn't that common practice? Why not …
- use
setcap(8)withCAP_NET_BIND_SERVICEon the binary being run? - set up the log folders to allow the (non-root) user to write there
- …, if you felt like
chroothelps at all, usechrootorlxcto "jail" the web server?
There is nothing other than (worker) child process may kill parent that I could come up with that would make this less beneficial than starting outright as root.
So why are they traditionally being started as root when afterwards everything is done to get rid of implied security issues that come with it?
Best Answer
Although POSIX has a standard for capabilities which I think includes CAP_NET_BIND_SERVICE, these are not required for conformance and may in some ways be incompatible with the implementation on, e.g., linux.
Since webservers like apache are not written for only one platform, using root privileges is the most portable method. I suppose it could do this specifically on linux and BSD (or wherever support is detected), but this would mean the behaviour would vary from platform to platform, etc.
It seems to me you could configure your system so that any web server could be used this way; there are some (perhaps clumsy) suggestions about this WRT apache here: NonRootPortBinding.
They're started as root because they usually need to access a privileged port, and traditionally this was the only way to do it. The reason they downgrade afterward is because they do not need privileges subsequently, and to limit the damage potential introduced by the myriad of third party add-on software commonly used by the server.
This is not unreasonable, since the privileged activity is very limited, and by convention many other system daemons run root continuously, including other inet daemons (e.g.,
sshd).Keep in mind that if the server were packaged so that it could be run as an unprivileged user with CAP_NET_BIND_SERVICE, this would allow any non-privileged user to start HTTP(S) service, which is perhaps a greater risk.