Working as root while Apache is running; how much a risk? (repost after subject line error)
Michael Sullivan
michael at espersunited.com
Fri Jul 9 15:42:54 UTC 2004
Can you clarify what "_RUN_ the web server" means? My current practice
is this: The only way I work on my server PC is through ssh from a
client computer because my server PC doesn't have a monitor hooked up to
it. Anyway, I log in as root and the very first thing I do is "service
httpd stop". I go about doing whatever task I have to do in that
session and then I say, "service httpd start; exit". Are you saying
that I don't have to have Apache stopped while I'm logged in as root, or
are you saying I shouldn't stay logged in as root after I issue "service
httpd start"?
> Date: Thu, 8 Jul 2004 17:16:07 -0700 (PDT)
> From: Alan Horn <ahorn at deorth.org>
> Subject: Re: Working as root while Apache is running; how much a risk?
> To: For users of Fedora Core releases <fedora-list at redhat.com>
> Message-ID: <Pine.NEB.4.60.0407081714230.962 at slick.sigje.org>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>
>
> On Thu, 8 Jul 2004, Michael Sullivan wrote:
>
> > When I first started using Red Hat Linux 8.0 I was reading through
the
> > Red Hat Linux Security Guide and it said to always shut down Apache
when
> > logged in as root to prevent hackers from coming in through the web
> > server. I've always done it because the Security Guid said to, but
> > never really understood why. How would hackers come in through the
web
> > server? I realize that they could telnet in, but wouldn't they have
to
> > log in as a user? What exactly would happen? Can anyone tell me
how
> > this would be accomplished? It's annoying having to stop Apache
when I
> > log in to work on the system and then starting it again when I log
> > out...
>
> Um, I've never heard of that restriction. You should never _RUN_ the
> webserver as root (the same goes for any processes that interact with
the
> outside world where at all possible).
>
> Perhaps thats where the confusion comes from ?
>
> The reason for not running a webserver as root is that any method that
a
> hacker uses to compromise that webserver will then have a greater
level
> (e.g. root) of access into your system. read and modify any files,
trash
> your disks.. etc...
>
> Cheers,
>
> Al
>
>
>
>
> ------------------------------
More information about the users
mailing list