httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: httpd's 1st process? security issues ?
Date Sat, 27 Apr 2002 14:54:19 GMT

On 27 Apr 2002, it  Force wrote:

> the user/group specifications usually are
> User Apache
> Group Apache
>
> the documentation also states that the first process that
> starts is the root process and then spawns the httpd
> processes.
> does this mean that this could be a security threat since
> the 1st process is the root process.
>
> and what are the chances that intruder might break in
> through the first process. ie .while the root process is
> running.
>

The risk is quite low because the requests are all handled by the
low-priveleged processes.  The only thing the root process does is take
care of launching child processes when necessary, and these child
processes handle the requests.  No request is ever handled by the root
process.  (It also handles a few other tasks that could be security
sensitive, like launching piped log processes, so there is some small
chance of a misconfiguration leading to a problem.)

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message