[Wolves] Couple of Konqueror q's

Wayne Morris wayne at machx.co.uk
Fri Feb 6 02:27:06 GMT 2004 

> 
> Indeed. To further clarify, the web server software should be running as a 
> non-root user (which is typically called "httpd", "apache", "web", or some 
> similar variation). Most modern distros ought to set the web server up like 
> this by default anyway, but if you use Apache you can type
> 
> ps aux | grep httpd
> 
The results of this are:

root       796  0.0  0.0 16988   88 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     855  0.0  0.8 18368 2000 ?        S    Feb04   0:01
/usr/sbin/httpd
apache     856  0.0  0.5 18384 1216 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     857  0.0  0.5 18540 1252 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     858  0.0  0.3 18680  808 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     859  0.0  0.4 18360 1080 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     860  0.0  0.4 18632 1088 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     861  0.0  0.4 18520 1080 ?        S    Feb04   0:00
/usr/sbin/httpd
apache     862  0.0  0.7 18648 1772 ?        S    Feb04   0:01
/usr/sbin/httpd
apache    2493  0.0  0.3 18320  696 ?        S    Feb04   0:00
/usr/sbin/httpd

with nobody logged in on webserver, this from ssh'ing from another box.
As you see , one root, rest apache - good or bad?

> to see which user name is being used. (Shown in the left-hand column)
> 
> In order to make it more difficult for crackers to place malicious files on 
> the server and subsequently execute them, the user the web server runs under 
> should *NOT* have write access to any file or directory that the web server 
> is serving out, or to any other files (with the possible exception of /tmp 
> and /var/tmp) without having a specific/genuine reason. A similar policy 
> should be adopted for other services wherever possible.
> 
So apache should not have write access to the web directory, but should
be 'owner'and have read access?


> For similar reasons damage limitation reasons, it's best to work as a 
> non-privilaged user rather than "root" wherever possible. If your web server 
> was running under user name "apache" and you logged in as "wayne" to maintain 
> the site(s) on it, the files that make up the web sites would/should have 
> owner "wayne", group "apache", with read-only access given to the group and 
> no access to world.


Hmm, have to look at that, mine are prolly wrong!
> 
> To further improve security, you could also
>  - investigate which add-on modules such as mod_perl, mod_php, etc are running 
> and disable any that aren't needed.
>  - run the web server in a chroot environment.
>  - uninstall any other software which isn't strictly necessary to the running 
> of the server
> 
> 
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: http://mailman.lug.org.uk/mailman/listinfo/wolves
Wayne Morris
07960 859346
-- 

Live machinery database
www.machx.co.uk/classifieds/
Most recently added items
www.machx.co.uk/classified/recent.php

More information about the Wolves mailing list