Working as root while Apache is running; how much a risk?
Alan Horn
ahorn at deorth.org
Fri Jul 9 00:16:07 UTC 2004
On Thu, 8 Jul 2004, Michael Sullivan wrote:
> When I first started using Red Hat Linux 8.0 I was reading through the
> Red Hat Linux Security Guide and it said to always shut down Apache when
> logged in as root to prevent hackers from coming in through the web
> server. I've always done it because the Security Guid said to, but
> never really understood why. How would hackers come in through the web
> server? I realize that they could telnet in, but wouldn't they have to
> log in as a user? What exactly would happen? Can anyone tell me how
> this would be accomplished? It's annoying having to stop Apache when I
> log in to work on the system and then starting it again when I log
> out...
Um, I've never heard of that restriction. You should never _RUN_ the
webserver as root (the same goes for any processes that interact with the
outside world where at all possible).
Perhaps thats where the confusion comes from ?
The reason for not running a webserver as root is that any method that a
hacker uses to compromise that webserver will then have a greater level
(e.g. root) of access into your system. read and modify any files, trash
your disks.. etc...
Cheers,
Al
More information about the users
mailing list