On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote: ... > They've also suggested that their conf files be owned by root, and only > readable by the apache user, which you also disagree with. ... Nobody has come up with a good argument for this, or a refutation of my argument against it. > If you do not start apache as root and then drop privileges, it means > that any resources required to start their server will be accessible by > the web server. ... Now when did I e v e r suggest that? I agree with your condemnation of it whole-heartedly. > If the servers conf file is not owned by root, then generally that is > okay, as long as it is not writable by the user running apache. I would > personally still have it owned by root. But, you see, then you have to BE root to edit it - 'sudo counts - and this is what you agreed above was bad. > Your security advice, from what I've seen, is at best misinformed, and > at worst it is negligent. I urge anyone reading this thread to check > some reputable sources before implementing any of Joseph's suggestions. I urge anyone reading this thread to actually read it. -- /*********************************************************************\ ** ** Joe Yao jsdy@xxxxxxx - Joseph S. D. Yao ** \*********************************************************************/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|