Re: Working as root while Apache is running; how much a risk? (repost after subject line error)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Can you clarify what "_RUN_ the web server" means?  My current practice
is this:  The only way I work on my server PC is through ssh from a
client computer because my server PC doesn't have a monitor hooked up to
it.  Anyway, I log in as root and the very first thing I do is "service
httpd stop".  I go about doing whatever task I have to do in that
session and then I say, "service httpd start; exit".  Are you saying
that I don't have to have Apache stopped while I'm logged in as root, or
are you saying I shouldn't stay logged in as root after I issue "service
httpd start"?


> Date: Thu, 8 Jul 2004 17:16:07 -0700 (PDT)
> From: Alan Horn <ahorn@xxxxxxxxxx>
> Subject: Re: Working as root while Apache is running; how much a risk?
> To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
> Message-ID: <Pine.NEB.4.60.0407081714230.962@xxxxxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 
> 
> 
> On Thu, 8 Jul 2004, Michael Sullivan wrote:
> 
> > When I first started using Red Hat Linux 8.0 I was reading through
the
> > Red Hat Linux Security Guide and it said to always shut down Apache
when
> > logged in as root to prevent hackers from coming in through the web
> > server.  I've always done it because the Security Guid said to, but
> > never really understood why.  How would hackers come in through the
web
> > server?  I realize that they could telnet in, but wouldn't they have
to
> > log in as a user?  What exactly would happen?  Can anyone tell me
how
> > this would be accomplished?  It's annoying having to stop Apache
when I
> > log in to work on the system and then starting it again when I log
> > out...
> 
> Um, I've never heard of that restriction. You should never _RUN_ the 
> webserver as root (the same goes for any processes that interact with
the 
> outside world where at all possible).
> 
> Perhaps thats where the confusion comes from ?
> 
> The reason for not running a webserver as root is that any method that
a 
> hacker uses to compromise that webserver will then have a greater
level 
> (e.g. root) of access into your system. read and modify any files,
trash 
> your disks.. etc...
> 
> Cheers,
> 
> Al
> 
> 
> 
> 
> ------------------------------




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux