Joseph S D Yao wrote:
On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote: ...They've also suggested that their conf files be owned by root, and only readable by the apache user, which you also disagree with.... Nobody has come up with a good argument for this, or a refutation of my argument against it.
The refutation is that in order to bind to port 80, have access to keys, etc, httpd must start as root. If the conf files are owned by an "wwwadmin" role user, that's fine, it's one degree removed from root. But if they are owned by the user which httpd process runs-as (after User directives), then the system can be exploited; whomever configures httpd.conf ultimate is running code as-root initially. Perhaps you have modperl configuration, or exploit an overrun of config syntax parsing. Whatever, your conf is run as root, so it is no less secure to demand these files are edited by root.
Your security advice, from what I've seen, is at best misinformed, and at worst it is negligent. I urge anyone reading this thread to check some reputable sources before implementing any of Joseph's suggestions.I urge anyone reading this thread to actually read it.
Please stop pushing an ill advised agenda until you thoroughly understand httpd security. Tom Evans post was the most succinct summary presented yet, and I find no fault in it. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx