KevinReichard
07-17-2002, 01:01 PM
These talkbacks are in response to the article, Getting Started with Apache 1.3 (http://www.serverwatch.com/stypes/servers/article.php/1130981).
blockhead writes:
One of the tips for Apache, and for linux in general, is to not run Apache as Root, to prevent crackers from gaining root access to the server. Are the tips supplied in the ApacheToday security tips taking this into account? Or am I supposed to install Apache while logged on as a regular user, thereby installing it under a subdirectory of a regular (not root) user's home page? I installed Red Hat, and installed Apache 1.3 from Red Hat's installation disks. I did this during installation of the entire Red Hat Linux package (most current version) I am assuming that this was installed as root. It was not installed in a subdirectory of one of the regular users. Does this mean that I am running this as root? Do I need to de-install Apache, then log on as a regular user, and re-install Apache? Or do I have it all wrong? Thanks for any help!
Pheno
You just have to change the permissions on your apache directory, you do NOT need to reinstall Apache to do this.
Look up commands such as:
chmod - changes file permissions
chown- changes who owns the file
What it basically means is that you don't allow Apache to run as root so they can't get to root through Apache.
If you allow a program to run as root then a hacker can just send a buffer overflow to Apache and dump to the # prompt, which is root.
blockhead writes:
One of the tips for Apache, and for linux in general, is to not run Apache as Root, to prevent crackers from gaining root access to the server. Are the tips supplied in the ApacheToday security tips taking this into account? Or am I supposed to install Apache while logged on as a regular user, thereby installing it under a subdirectory of a regular (not root) user's home page? I installed Red Hat, and installed Apache 1.3 from Red Hat's installation disks. I did this during installation of the entire Red Hat Linux package (most current version) I am assuming that this was installed as root. It was not installed in a subdirectory of one of the regular users. Does this mean that I am running this as root? Do I need to de-install Apache, then log on as a regular user, and re-install Apache? Or do I have it all wrong? Thanks for any help!
Pheno
You just have to change the permissions on your apache directory, you do NOT need to reinstall Apache to do this.
Look up commands such as:
chmod - changes file permissions
chown- changes who owns the file
What it basically means is that you don't allow Apache to run as root so they can't get to root through Apache.
If you allow a program to run as root then a hacker can just send a buffer overflow to Apache and dump to the # prompt, which is root.