[Pharo-project] about vm dropping privileges
renggli at gmail.com
Tue Dec 2 16:00:38 EST 2008
> I was rereading our excellent forthcoming seaside book :)
> And lukas wrote
> "To listen on port 80, the standard port used by the HTTP protocol,
> web server needs to run as root. Running a public service as root is
> a huge security issue. Dedicated web servers such as Apache drop
> their root privileges after startup. This allows them to listen to
> 80 while not being root. Unfortunately this is not something that can
> be easily done from within the Smalltalk VM. "
> And I was wondering what is the exact problem?
Unix blocks port 1 - 1024 for non root users. Running a Smalltalk
image as root is obviously a very bad idea, especially when used for
web services. Smalltalk is full of security holes (for example Object
class>>#readFrom: uses the compiler) that would allow a smart person
to gain root rights. It is always good idea to run anything that is
publicly reachable in some sort of a sandbox, even if this is just by
using a non-privileged user.
More information about the Pharo-dev