How can I run apache as non-root user?

Hi Gentoo community,

I modified apache config to have it running on non-private
port 8080. I restarted apache and verified that it is
really listening on port 8080 (netstat). But when I check
all running apache processes for owners, I see there is still
one apache process running as root (rest are running as
"apache" user).

So my question is: how can I run apache completely as non-root
user? IIRC, "root" is necessary only if I want to use "low"
port numbers (0-1023), but my apache is using 8080...

Jarry
--

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Openssl 1.0.1c/d have serious issues?

Hello all,

1. dev-libs/openssl-1.0.1c is current stable version

2. Reliable sources on the postfix list claim c (and d) versions have 
'serious' issues:

On 2013-05-22 12:19 PM, Viktor Dukhovni wrote:
 > 1.0.1c has some known issues, you should use 1.0.1e.

and

On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah <at> zimbra.com> wrote:
 > Both 1.0.1c and 1.0.1d had *serious* problems.  Unless you can
 > absolutely confirm that Gentoo has applied all of the patches from
 > both of those releases to their build, I would strongly advise you to
 > roll your own 1.0.1e release.
 >
 > --Quanah

So... can anyone comment on this? Does the stable version 1.0.1c apply 
patches to address these issues?

VPN vs LAN address hostname resolution

Hello,

I am trying to get hostname address resolution on my LAN and VPN with
one serious problem:
I have two "networks" eg. 10.1.1.0 and 10.2.2.0 which are representing
local address space for LAN (10.1.1.0/8) and VPN address space (10.2.2.0/8).
Every host has its own address "suffix" (eg. host foo has LAN address
10.1.1.3 and vpn address 10.2.2.3).
I would like to setup some sort resolution which would account for
availability of host on LAN:
If host foo is in same LAN and host bar the connection would be carried
through LAN interface with LAN address and NOT (as avahi is trying to
do) using VPN connection which is connecting through remote server and
is therefore *a lot* slower than LAN connection.
The LAN address is not available always but VPN is.

So my question is there something which would do this almost same as
avahi but would be capable of prioritizing interface/address?

Thank you for advice in advance
S

Re: IPTables - Going Stateless

Adam Carter <adamcarter3 <at> gmail.com> writes:

> Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would 
> be asking for some evidence there is a performance issue, and that the 
> best solution to the problem is to turn off stateful inspection.

There are lots of tools and approaches to security. Here is something
you might want to investigate further: Stateless Firewall Filters:
great for fending off DDOS and such.......

Instead of the maginot wall (firewall router) several different
security devices can be layered in a serial path to perfrom
various and diffent security functions.

Here is a starting point by a fairly reputable routing vendor:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/firewall-filter-overview.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/topic-47671.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/firewall-filter-types.html

James

Re: IPTables - Going Stateless

On 5/21/13, Neal Murphy <neal.p.murphy <at> alum.wpi.edu> wrote:
> You still aren't accepting *each* direction. Either accept each direction
> with
> explicit rules or rewrite the rules so they apply to both directions at
> once.
> The former is probably easier to understand months later, even though it is
>
> more verbose.
>
> Mea culpa. I missed the '--dport'; that should be changed to '--sport' in
> one
> of the rules. I adjusted the rule below.
>
> N
>
> On Tuesday, May 21, 2013 11:07:10 AM you wrote:
>> Hello Everyone,
>>
>> #echo -e "       - Accepting SSH Traffic"
>> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
>> --dport 22 -j ACCEPT
>> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j
>> DROP
>>
>> Everything works fine with the REJECT rules commented out, but when
>> included SSH access is blocked out. Not sure why, isn't the sequence
>> correct (i.e., the ACCPET entries before the DROP and REJECT)?
>
> SSH isn't a one-way protocol. I believe you need at least one more rule.
> This:

Re: IPTables - Going Stateless

For testing purposes I changed the ssh rule to:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

And still no go. As mentioned before, everything works fine until I
try to close up the rest of the ports not opened up in the chains
"UDP" and "TCP" stated above:

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
-A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
-A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
-A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
-A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

That is when I cannot SSH over to the server.

N.

Re: [gentoo-user] IPTables - Going Stateless

Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis <symack <at> gmail.com>:
> Hello Everyone,
> 
> We recently moved our stateful firewall inside, and would like to
> strip down the firewall at our router connected to the outside world.
> The problem I am experiencing is getting things to work properly
> without connection tracking. I hope I am not in breach of mailing list
> rules however, a stripped down configuration is as follows:
> 
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> #Set interface values
> INTIF1='eth0'
> 
> #flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> #echo -e "       - Accepting input lo traffic"
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> #echo -e "       - Accepting output lo traffic"
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
> 
> #echo -e "       - Defined Chains"
> $IPTABLES -N TCP
> $IPTABLES -N UDP
> 

IPTables - Going Stateless

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5

Seamonkey and path to internet

Howdy,

I noticed over the past few weeks a interesting issue.  When I leave
Seamonkey open for several hours, it looses its connection to the
internet.  If I open Firefox, it works fine.  I can ping in a Konsole
too.  In Seamonkey tho, not even a simple page like google will work. 
If I close Seamonkey and then restart it, it works fine.  I don't have
to log out of KDE or anything either.  Just restart Seamonkey and it
works for a few more hours. Also, it affects both browser and email. 

What is the path that Seamonkey takes to get to the internet?  I have
tried a older version of Seamonkey but get the same results so I figure
it is something between Seamonkey and the internet that Firefox doesn't
use that I need to upgrade, downgrade or otherwise beat some sense
into.  Just in case:

[ebuild   R   ~] www-client/seamonkey-2.17.1  USE="alsa chatzilla crypt
dbus ipc jit libnotify roaming startup-notification -custom-cflags
-custom-optimization -debug -gstreamer -system-jpeg -system-sqlite
-wifi" LINGUAS="-be -ca -cs -de -en_GB -es_AR -es_ES -fi -fr -gl -hu -it
-ja -lt -nb_NO -nl -pl -pt_PT -ru -sk -sv_SE -tr -uk -zh_CN -zh_TW" 0 kB

Thanks. 

Dale

   

--

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

howto on setting up rootfs on ZFS?

SMART error (CurrentPendingSector) detected on host

Hello,

Besides replacing the disk, can you please advise what can be done to 
get rid of the following message?
I have done a check to all ext partitions, and all seems fine.

thank you,
Clemente

-------------------

This email was generated by the smartd daemon running on:

    host name: caguiar-gentoo
   DNS domain: [Unknown]
   NIS domain: (none)

The following warning/error was logged by the smartd daemon:

Device: /dev/sda [SAT], 2 Currently unreadable (pending) sectors

For details see host's SYSLOG.

You can also use the smartctl utility for further investigation.
No additional email messages about this problem will be sent.