On Mon, May 22, 2000 at 09:54:29AM +0100, Dominic Blythe wrote: > i don't use inetd to start apache, i start it from a script > which i can only run as root. if i chmod the script and try > being any other user, it won't start.
it needs root privileges (or more presisly a capability to bind to privileged ports) to bind to port 80. > the documentation says "you will have to start apache as root > and then it will switch to Nobody", it kind of does, I get > one process running as root, and about five running as > Nobody, which I guess are the servers mentioned in > httpd.conf. If i shut down the process owned by root, > apache shuts down. apache doesn't mind how many of the > Nobody server processes are running. this is normal, as apache gets more and more requests it will spawn more children (the nobody processes) and as load lightens up it will start killing its children (what an awful thing to do! ;p) but the parent process must run as root to bind the children to port 80. the parent process (the only running as root) does not serve or listen to any requests. > Yeah But What's The Question? > > Question: is this safe? everybody everywhere always > says never run apache as root, particularly if there > are cgi etc running. yes this is safe and perfectly normal so long as the children processes are not running as root you are fine. the parent needs to run as root to write to the logs and bind the children to port 80 but it will not serve requests itself. however one thing you should do on a debian system is chown /var/www to root and make sure its not group writable. also chown /var/log/apache/* to root.adm and make sure the permissions are 640 or 644. (you have to fix the apache cron jobs to not undo this change) for some insane reason debian leaves the www-root owned by www-data.www-data (the same user debian runs apache as) along with the logs. this is totally wrong as the web server user should NOT own files or have any write permission to anything. if it does then all it takes is one of those unprivileged child processes to be exploited and your web site can be replaced and your logs can be removed. bad bad bad. if you run apache as nobody instead of www-data you should be ok though. (so long as you don't give other users access to the www-data account (user or group). -- Ethan Benson http://www.alaska.net/~erbenson/
pgpC6ern1IUSh.pgp
Description: PGP signature
