Yaws allows one to use PAM for authentication purposes. Though epam binary which is used for that isn't suid root (this doesn't allow yaws user to authenticate against shadow system passwords). The local administrator may want to override permissions for /usr/lib/yaws/priv/epam. To make it sgid shadow run dpkg-statoverride --add root shadow 02755 /usr/lib/yaws/priv/epam To make it suid root run dpkg-statoverride --add root yaws 04750 /usr/lib/yaws/priv/epam In the latter case only yaws user (in fact, all users in group yaws) will be able to execute the binary. ---------- If you want Yaws to listen privileged ports (80 for HTTP or 443 for HTTPS) you may set the YAWS_USER variable in /etc/default/yaws config file to root. But if you don't want Yaws to run as root, you may grant it the capability for binding to privileged ports using the following command: setcap 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-*/bin/beam \ 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-*/bin/beam.smp Unfortunately, these capabilities will be lost after the next upgrade of Erlang packages, so you'll have to rerun the command after any Erlang upgrade. Alternatively, if you're using systemd and the supplied yaws.service unit you may create file /etc/systemd/system/yaws.service.d/caps.conf with the following content: [Service] AmbientCapabilities=CAP_NET_BIND_SERVICE After that run systemctl daemon-reload to make systemd reread the YAWS service unit configuration, and then start it as usual: systemctl start yaws.service See the systemd.unit(5) manpage for the details (example 2: overriding vendor settings). -- Sergei Golovan Wed, 28 Mar 2018 13:08:55 +0300