httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: WebDAV and reading / writing files as system users
Date Fri, 30 Apr 2004 18:09:13 GMT
André Malo wrote:

> Hmm. I suspect, the difference is, that Apache was never designed to run as
> root.

You're assuming the root account is the most damaging account to 
compromise. In the case of a fileserver, you will very likely want some 
files kept more private than others. If I as a hacker wanted to steal 
private data from an Apache + DAV fileserver, and all the files were 
owned by user "apache", I would simply need to compromise the "apache" 
account to have complete unrestricted access to all data on the server. 
So, in a fileserver environment, hacking "apache" would be as 
disasterous as hacking "root". On this basis I would argue that _in a 
fileserver environment_ "all files under one account" is less secure 
(aka more risky) than system based file ownerships.


View raw message