Hi i am trying to restrict Apache 2.4.5 / 2.4.6-dev as much as possible
without "CAP_DAC_OVERRIDE" i get warnings any docroot not existing while after start all vhosts are fully operational, the other capabilities are clear to switch the user and bind port 80, CAP_IPC_LOCK maybe for php-opcaches but why does httpd need CAP_DAC_OVERRIDE while starting initially as root? CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot [/mnt/data/www/www] does not exist Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot [/mnt/data/www/private] does not exist CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID all fine, no warnings
signature.asc
Description: OpenPGP digital signature