httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@squigly.net
Subject Re: [users@httpd] fopen of log files
Date Fri, 11 Feb 2005 13:19:03 GMT
User nobody
Group nogroup

1. Apache needs to be launched as root in order to bind to a port lower than
1024 - this is a basic security feature of all UNIX implementations.

----- fair enough

2. Immediately after "grabbing" the port, Apache changes its effective user ID
to something else, typically as user "nobody." This is for security reasons -
running your Web servers as root means that any hole in the server (be it
through the server itself, or through a CGI script, which is much more likely)
could be exploited by an outside user to run a command on your machine.

----- so given this, should the logging not then be conducted not by root, but
by the user/group defined?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message