You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Mandy Singh <ma...@gmail.com> on 2008/04/10 19:21:20 UTC

[users@httpd] Running webserver as apache?

Hi,

I need to know if its a good idea to run webserver as user 'apache', have
all files in webroot owned by user apache and perms 644?

Would this still mean that if server runs as apache and it has read/write
access, someone could take advantage of loop holes on the site and overwrite
some files on our site?

Can someone comment?

Thanks,
Mandy.

Re: [users@httpd] Re: Running webserver as apache?

Posted by j k <jo...@gmail.com>.

On Fri, Apr 11, 2008 at 7:27 AM, <ch...@post.ch> wrote:

>  Hi Mandy,
>
> > I need to know if its a good idea to run webserver as
> > user 'apache', have all files in webroot owned by user
> > apache and perms 644?
>
> It's not exactly a good idea, but if you are in a situation
> where the advantage outweighs the problems, then go ahead.
>
> > Would this still mean that if server runs as apache
> > and it has read/write access, someone could take
> > advantage of loop holes on the site and overwrite
> > some files on our site?
>
> Simply speaking yes.
>
> You may also want to look into the mod_suexec.
>
> regs,
>
> Christian Folini
>
 Hi Christian,

could you point us to any discussion on this topic. I'm interested to know
the pros and cons.

Thanks
Jonny

AW: [users@httpd] Re: Running webserver as apache?

Posted by ch...@post.ch.

Hi Mandy,
 
> I need to know if its a good idea to run webserver as
> user 'apache', have all files in webroot owned by user 
> apache and perms 644?
 
It's not exactly a good idea, but if you are in a situation 
where the advantage outweighs the problems, then go ahead.
 
> Would this still mean that if server runs as apache 
> and it has read/write access, someone could take 
> advantage of loop holes on the site and overwrite 
> some files on our site?
 
Simply speaking yes.
 
You may also want to look into the mod_suexec.
 
regs,
 
Christian Folini

[users@httpd] Re: Running webserver as apache?

Posted by Mandy Singh <ma...@gmail.com>.

Anyone?

On Thu, Apr 10, 2008 at 10:51 PM, Mandy Singh <ma...@gmail.com> wrote:

> Hi,
>
> I need to know if its a good idea to run webserver as user 'apache', have
> all files in webroot owned by user apache and perms 644?
>
> Would this still mean that if server runs as apache and it has read/write
> access, someone could take advantage of loop holes on the site and overwrite
> some files on our site?
>
> Can someone comment?
>
> Thanks,
> Mandy.
>