[Wolves] Couple of Konqueror q's

James Turner james at turnersoft.co.uk
Fri Feb 6 00:49:52 GMT 2004 

On Thursday 05 Feb 2004 12:14 am, Aquarius wrote:
> In article <1075937237.2727.8.camel at bart> you wrote:
> > Oh, a third unrelated question - everyone always says 'don't run as
> > root' which i don't on my two desktop boxes, but my webserver is only
> > set up for root at the moment. Does the 'don't run as root' bit apply to
> > a machine which is in a locked room, with no kb or monitor, and behind a
> > firewall?
>
> Depends. The first time you write a CGI which accidentally does "rm -rf /",
> you'll think, hm, should I have done that?
>
> Don't run as root.

Indeed. To further clarify, the web server software should be running as a 
non-root user (which is typically called "httpd", "apache", "web", or some 
similar variation). Most modern distros ought to set the web server up like 
this by default anyway, but if you use Apache you can type

ps aux | grep httpd

to see which user name is being used. (Shown in the left-hand column)

In order to make it more difficult for crackers to place malicious files on 
the server and subsequently execute them, the user the web server runs under 
should *NOT* have write access to any file or directory that the web server 
is serving out, or to any other files (with the possible exception of /tmp 
and /var/tmp) without having a specific/genuine reason. A similar policy 
should be adopted for other services wherever possible.

For similar reasons damage limitation reasons, it's best to work as a 
non-privilaged user rather than "root" wherever possible. If your web server 
was running under user name "apache" and you logged in as "wayne" to maintain 
the site(s) on it, the files that make up the web sites would/should have 
owner "wayne", group "apache", with read-only access given to the group and 
no access to world.

To further improve security, you could also
 - investigate which add-on modules such as mod_perl, mod_php, etc are running 
and disable any that aren't needed.
 - run the web server in a chroot environment.
 - uninstall any other software which isn't strictly necessary to the running 
of the server

More information about the Wolves mailing list