Re: apache question

To: Dominic Blythe <Dominic.Blythe@BCPSoftware.com>
Cc: debian-user@lists.debian.org
Subject: Re: apache question
From: Ethan Benson <erbenson@alaska.net>
Date: Mon, 22 May 2000 01:12:44 -0800
Message-id: <[🔎] 20000522011243.A7243@plato.local.lan>
In-reply-to: <[🔎] 813C64B2C7E6D311A85600500450F99C16A70B@EXCHANGE>; from Dominic.Blythe@BCPSoftware.com on Mon, May 22, 2000 at 09:54:29AM +0100
References: <[🔎] 813C64B2C7E6D311A85600500450F99C16A70B@EXCHANGE>

On Mon, May 22, 2000 at 09:54:29AM +0100, Dominic Blythe wrote:
> i don't use inetd to start apache, i start it from a script
> which i can only run as root. if i chmod the script and try
> being any other user, it won't start.

it needs root privileges (or more presisly a capability to bind to
privileged ports) to bind to port 80.

> the documentation says "you will have to start apache as root
> and then it will switch to Nobody", it kind of does, I get 
> one process running as root, and about five running as
> Nobody, which I guess are the servers mentioned in
> httpd.conf. If i shut down the process owned by root, 
> apache shuts down. apache doesn't mind how many of the
> Nobody server processes are running.

this is normal, as apache gets more and more requests it will spawn
more children (the nobody processes) and as load lightens up it will
start killing its children (what an awful thing to do! ;p) but the
parent process must run as root to bind the children to port 80.  the
parent process (the only running as root) does not serve or listen to
any requests. 

> Yeah But What's The Question?
> 
> Question: is this safe? everybody everywhere always
> says never run apache as root, particularly if there
> are cgi etc running.

yes this is safe and perfectly normal so long as the children
processes are not running as root you are fine.  the parent needs to
run as root to write to the logs and bind the children to port 80 but
it will not serve requests itself.

however one thing you should do on a debian system is chown /var/www
to root and make sure its not group writable.  also chown
/var/log/apache/* to root.adm and make sure the permissions are 640
or 644.  (you have to fix the apache cron jobs to not undo this change)

for some insane reason debian leaves the www-root owned by
www-data.www-data (the same user debian runs apache as) along with the
logs.  this is totally wrong as the web server user should NOT own
files or have any write permission to anything.  if it does then all
it takes is one of those unprivileged child processes to be exploited
and your web site can be replaced and your logs can be removed. bad
bad bad.

if you run apache as nobody instead of www-data you should be ok
though. (so long as you don't give other users access to the www-data
account (user or group).

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp8nYkA9FlEq.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: apache question
  - From: Ian Zimmerman <itz@speakeasy.org>

References:
- apache question
  - From: Dominic Blythe <Dominic.Blythe@BCPSoftware.com>

Prev by Date: Re: Debian vs Red Hat??? I need info.
Next by Date: Re: ppp connection failure - re-post
Previous by thread: apache question
Next by thread: Re: apache question
Index(es):
- Date
- Thread