On Fri, Jul 09, 2004 at 12:47:15PM -0400, Wayne Leutwyler wrote: > Try this: > > ps -ef | grep httpd > > What you should see is something like below: > > apache 10423 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10424 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10425 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10426 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10427 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10428 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10429 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > apache 10430 1125 0 04:02 ? 00:00:00 /usr/sbin/httpd > -DHAVE_ACCESS -D > > Now if you see root where apache is that means your httpd server was > started by the root user. You should change that ASAP. As you can see > in my example my httpd server was started by the apache user. > > I hope this example helps. > > Bottom line is that you can log into your server as root and you dont > have to stop the httpd server if the process or processes are owned by > the apache user. Yes, this is heinous thread hijacking but it's at least tangentially related to the former subject. What are the thoughts on permissions, including ownership, for files and directories residing on a webserver? Should they all be apache, i.e., the same owner as the running process? Or would that just make it easier for the perp to change files if they managed to usurp the running process? Maybe a totally different unprivileged user? Myself, I make all my web files owned by nobody and the running process owned by apache. All static files have 0400 permissions. Directories must have 0755. -- Jack Bowling mailto: jbinpg@xxxxxxx
