Working as root while Apache is running; how much a risk? (repost after subject line error)

Wayne Leutwyler wleutwyl at columbus.rr.com
Fri Jul 9 16:47:15 UTC 2004


Try this:

ps -ef | grep httpd

What you should see is something like below:

apache   10423  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10424  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10425  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10426  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10427  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10428  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10429  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D
apache   10430  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
-DHAVE_ACCESS -D

Now if you see root where apache is that means your httpd server was
started by the root user. You should change that ASAP.  As you can see
in my example my httpd server was started by the apache user. 

I hope this example helps. 

Bottom line is that you can log into your server as root and you dont
have to stop the httpd server if the process or processes are owned by
the apache user.

Wayne

On Fri, 2004-07-09 at 11:42, Michael Sullivan wrote:
> Can you clarify what "_RUN_ the web server" means?  My current practice
> is this:  The only way I work on my server PC is through ssh from a
> client computer because my server PC doesn't have a monitor hooked up to
> it.  Anyway, I log in as root and the very first thing I do is "service
> httpd stop".  I go about doing whatever task I have to do in that
> session and then I say, "service httpd start; exit".  Are you saying
> that I don't have to have Apache stopped while I'm logged in as root, or
> are you saying I shouldn't stay logged in as root after I issue "service
> httpd start"?
> 
> 
> > Date: Thu, 8 Jul 2004 17:16:07 -0700 (PDT)
> > From: Alan Horn <ahorn at deorth.org>
> > Subject: Re: Working as root while Apache is running; how much a risk?
> > To: For users of Fedora Core releases <fedora-list at redhat.com>
> > Message-ID: <Pine.NEB.4.60.0407081714230.962 at slick.sigje.org>
> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> > 
> > 
> > 
> > On Thu, 8 Jul 2004, Michael Sullivan wrote:
> > 
> > > When I first started using Red Hat Linux 8.0 I was reading through
> the
> > > Red Hat Linux Security Guide and it said to always shut down Apache
> when
> > > logged in as root to prevent hackers from coming in through the web
> > > server.  I've always done it because the Security Guid said to, but
> > > never really understood why.  How would hackers come in through the
> web
> > > server?  I realize that they could telnet in, but wouldn't they have
> to
> > > log in as a user?  What exactly would happen?  Can anyone tell me
> how
> > > this would be accomplished?  It's annoying having to stop Apache
> when I
> > > log in to work on the system and then starting it again when I log
> > > out...
> > 
> > Um, I've never heard of that restriction. You should never _RUN_ the 
> > webserver as root (the same goes for any processes that interact with
> the 
> > outside world where at all possible).
> > 
> > Perhaps thats where the confusion comes from ?
> > 
> > The reason for not running a webserver as root is that any method that
> a 
> > hacker uses to compromise that webserver will then have a greater
> level 
> > (e.g. root) of access into your system. read and modify any files,
> trash 
> > your disks.. etc...
> > 
> > Cheers,
> > 
> > Al
> > 
> > 
> > 
> > 
> > ------------------------------

________________________________________________________________________
Wayne Leutwyler, RHCT
Home Page
                     Feel the Power of the Penguin!

As long as there is breath in my body,
there will be a Penguin on my Desktop. 

Home: 614-336-9668
Work: 614-410-7507

________________________________________________________________________





More information about the users mailing list