On Thu, 2004-07-08 at 22:35, Michael Sullivan wrote: > Can you clarify what "_RUN_ the web server" means? My current practice > is this: The only way I work on my server PC is through ssh from a > client computer because my server PC doesn't have a monitor hooked up to > it. Anyway, I log in as root and the very first thing I do is "service > httpd stop". I go about doing whatever task I have to do in that > session and then I say, "service httpd start; exit". Are you saying > that I don't have to have Apache stopped while I'm logged in as root, or > are you saying I shouldn't stay logged in as root after I issue "service > httpd start"? You do not need to stop apache when you login as root. What he was saying is don't execute the httpd program with root's permissions. If httpd is running with root permissions and someone finds a way to exploit httpd they would then have root level permissions on your server. httpd should be running as apache or nobody. Do a ps -eaf | grep httpd to see what user it is running as. You can login to the server as root to perform maintenance. Using ssh as you describe is excellent. I would suggest you disable root login access to ssh. That means you would login as a normal user then you can use su - to get root level permissions. This prevents someone from loging in directly as root and it gives you a log that tells you who logged in and su'ed to root. To disable root ssh access edit the /etc/ssh/sshd_config file and set the PermitRootLogin no option. This will keep root from using any of the ssh type commands including ssh and scp. By doing this someone has to have access to a user account and the root password in order to own the server. -- Scot L. Harris webid@xxxxxxxxxx All intelligent species own cats.