Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 94215 invoked from network); 11 Feb 2005 15:54:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 11 Feb 2005 15:54:05 -0000 Received: (qmail 58488 invoked by uid 500); 11 Feb 2005 15:53:56 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 58472 invoked by uid 500); 11 Feb 2005 15:53:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 58459 invoked by uid 99); 11 Feb 2005 15:53:55 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=FORGED_RCVD_HELO X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from dsl092-249-231.sfo4.dsl.speakeasy.net (HELO jackson.perijove.com) (66.92.249.231) by apache.org (qpsmtpd/0.28) with ESMTP; Fri, 11 Feb 2005 07:53:54 -0800 Received: from jackson.perijove.com (localhost.localdomain [127.0.0.1]) by jackson.perijove.com (8.12.8/8.12.8) with ESMTP id j1BFj1Pg002447 for ; Fri, 11 Feb 2005 07:45:01 -0800 Received: (from garth@localhost) by jackson.perijove.com (8.12.8/8.12.8/Submit) id j1BFj1Hm002445 for users@httpd.apache.org; Fri, 11 Feb 2005 07:45:01 -0800 X-Authentication-Warning: jackson.perijove.com: garth set sender to garth@perijove.com using -f From: Garth Winter Webb To: users@httpd.apache.org In-Reply-To: <1108127943.420cb0c71436d@webmail.squigly.net> References: <1108125764.420ca84404c92@webmail.squigly.net> <200502111356.11906@news.perlig.de> <1108126877.420cac9d1eac9@webmail.squigly.net> <200502111405.04428@news.perlig.de> <1108127640.420caf9886187@webmail.squigly.net> <1108127943.420cb0c71436d@webmail.squigly.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit Message-Id: <1108136700.27397.5420.camel@jackson.perijove.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 11 Feb 2005 07:45:01 -0800 X-Virus-Checked: Checked Subject: Re: [users@httpd] fopen of log files X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Fri, 2005-02-11 at 05:19, alex@squigly.net wrote: > User nobody > Group nogroup > > 1. Apache needs to be launched as root in order to bind to a port lower than > 1024 - this is a basic security feature of all UNIX implementations. > > ----- fair enough > > 2. Immediately after "grabbing" the port, Apache changes its effective user ID > to something else, typically as user "nobody." This is for security reasons - > running your Web servers as root means that any hole in the server (be it > through the server itself, or through a CGI script, which is much more likely) > could be exploited by an outside user to run a command on your machine. > > ----- so given this, should the logging not then be conducted not by root, but > by the user/group defined? Logging is done by the user/group, the file is just provisioned by root at startup. The only time you have root in operation is at server startup. Anything a malicious user could compromise would be to a process running as your user/group. If you are afraid of Apache doing something bad at startup at the hands of root, it would be a lot easier for someone who has compromised root to do something bad without the use of Apache. -- Garth Winter Webb --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org