Joseph S D Yao wrote:
On Thu, Sep 04, 2008 at 12:33:20PM -0500, William A. Rowe, Jr. wrote:Joseph S D Yao wrote:On Thu, Sep 04, 2008 at 03:55:33PM +0100, Tom Evans wrote: ...They've also suggested that their conf files be owned by root, and only readable by the apache user, which you also disagree with.... Nobody has come up with a good argument for this, or a refutation of my argument against it.The refutation is that in order to bind to port 80, have access to keys, etc, httpd must start as root. If the conf files are owned by an "wwwadmin" role user, that's fine, it's one degree removed from root. ...Which is all I've been saying. Thanks for finally agreeing.
No, I disagree with you above unless the caveats and warnings that you have elided above are restored. People reading the above (with no context) are likely to deploy far more vulnerable configurations than the conventional "maintain httpd.conf files as root" wisdom. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx