Yaws allows one to use PAM for authentication purposes. Though epam binary which is used for that isn't suid root (this doesn't allow to authenticate using shadow system passwords). The local administrator may want to override permissions for /usr/lib/yaws/priv/epam. To make it sgid shadow run dpkg-statoverride --add root shadow 02755 /usr/lib/yaws/priv/epam To make it suid root run dpkg-statoverride --add root yaws 04750 /usr/lib/yaws/priv/epam In the latter case only yaws user (in fact, all users in group yaws) will be able to execute the binary. ---------- If you want Yaws to listen privileged ports (80 for HTTP or 443 for HTTPS) you may set the YAWS_USER variable in /etc/default/yaws config file to root. But if you don't want Yaws to run as root, you may grant it the capability for binding to privileged ports using the following command: setcap 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-*/bin/beam \ 'cap_net_bind_service=+ep' /usr/lib/erlang/erts-*/bin/beam.smp Unfortunately, these capabilities will be lost after the next upgrade of Erlang packages, so you'll have to rerun the command after any Erlang upgrade. -- Sergei Golovan Sun, 13 May 2012 16:40:33 +0400