httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joseph S D Yao <j...@tux.org>
Subject Re: [users@httpd] How to start Apache automatically with certificate?
Date Wed, 03 Sep 2008 16:12:57 GMT
On Wed, Sep 03, 2008 at 02:02:16PM +0200, Krist van Besien wrote:
> On Tue, Sep 2, 2008 at 20:18, Joseph S D Yao <jsdy@tux.org> wrote:
...
> > maintaining != starting
> 
> Since any change to the config requires a restart maintaing a server
> requires you to be able to start it.
...


Fair.  For most changes, anyway.  But maintaining the server files
should not require root privileges.  And if it is possible to re-start
the server without becoming root [requires some assembly - or C], then
do so.

The whole point, which seems to be missed among my earlier whimsical
phrasing and some possible mistakes on my part, is this.  You should do
as little as possible as root.  In the over 35 years that I've been
working on and maintaining *n*x systems, it's amazing the number of
mistakes - often lethal [for the system] - that have been made possible
because someone was doing something as root, rather than as a system
account.  The corollary, of course, is that as few files as possible
should be owned by root, so that you don't have to be root to maintain
them.  The ownership, if possible/necessary, should be spread around to
system accounts with different roles.

Doing everything as root is just plain bad security.  Plan around it.


-- 
/*********************************************************************\
**
** Joe Yao				jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message