場景:普通用戶編譯的apache,要在該用戶下啟動1024端口以下的apache端口
1、假設普通用戶為sims20,用該用戶編譯 安裝了一個apache,安裝路徑為/opt/aspire/product/sims20/apache
./configure --prefix=/opt/aspire/product/sims20/apache --enable-so --enable-modules=all --enable-mods-shared=all --enable-mods-shared='proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_rewrite'
make
make install
2、編譯完成后,設置http.conf的監聽端口為80
3、直接用普通用戶sims20啟動
[sims20@bcd-app01 bin]$ ./apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
出錯原因:在linux下,普通用戶只能用1024以上的端口,而1024以內的端口只能由root用戶才可以使用
4、利用setuid來解決問題,這樣使用httpd能以root權限運行
用root用戶登錄,進入/opt/aspire/product/sims20/apache/bin,分別用chown root httpd、chmod u+s httpd 設置httpd的屬主為root及特殊權限
[root@bcd-app01 bin]# ls -l httpd
-rwxr-xr-x 1 sims20 aspire 3517470 3月 15 17:12 httpd
[root@bcd-app01 bin]# chown root httpd
[root@bcd-app01 bin]# ls -l httpd
-rwxr-xr-x 1 root aspire 3517470 3月 15 17:12 httpd
[root@bcd-app01 bin]# chmod u+s httpd
[root@bcd-app01 bin]# ls -l httpd
-rwsr-xr-x 1 root aspire 3517470 3月 15 17:12 httpd
5、重新進入普通用戶sims20,啟動apache
[sims20@bcd-app01 bin]$ ./apachectl start
可以正常啟動,沒報錯
6、試着訪問一下
[sims20@bcd-app01 bin]$ curl http://10.24.12.159:80
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>
報403 Forbidden錯誤
7、看一下進程
[sims20@bcd-app01 bin]$ ps -ef |grep httpd
root 7841 1 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
daemon 7844 7841 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
daemon 7845 7841 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
daemon 7846 7841 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
daemon 7847 7841 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
daemon 7848 7841 0 17:24 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 8006 3026 0 17:29 pts/4 00:00:00 grep httpd
怎么跑出daemon 用戶了, 原來httpd主進程仍然以root用戶的權限運行,而它的子進程將以一個較低權限的用戶運行 ,而這個較低權限用戶daemon 在http.conf中配置
7、在http.conf中配置一下,將用戶改成root
User daemon
Group daemon
改成
User root
Group root
8、再次用普通用戶啟動apache
[sims20@bcd-app01 bin]$ ./apachectl restart
Syntax error on line 76 of /opt/aspire/product/sims20/apache/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
不行的,要重新加參數編譯
9、再次修改在http.conf中配置一下,將用戶改成普通用戶吧
改成
User sims20
Group aspire
10、再次用普通用戶sims20啟動apache
[sims20@bcd-app01 bin]$ ./apachectl start
[sims20@bcd-app01 bin]$ ps -ef |grep httpd
root 9720 1 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9721 9720 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9722 9720 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9723 9720 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9724 9720 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9725 9720 0 18:09 ? 00:00:00 /opt/aspire/product/sims20/apache/bin/httpd -k start
sims20 9739 3026 0 18:09 pts/4 00:00:00 grep httpd
6、試着訪問一下
[sims20@bcd-app01 bin]$ curl http://10.248.12.159:80
<html><body><h1>It works!</h1></body></html>
成功了