[users@httpd] Re: Running webserver as apache?

[Mandy Singh <ma...@gmail.com>]

Anyone?

On Thu, Apr 10, 2008 at 10:51 PM, Mandy Singh <ma...@gmail.com> wrote:

> Hi,
>
> I need to know if its a good idea to run webserver as user 'apache', have
> all files in webroot owned by user apache and perms 644?
>
> Would this still mean that if server runs as apache and it has read/write
> access, someone could take advantage of loop holes on the site and overwrite
> some files on our site?
>
> Can someone comment?
>
> Thanks,
> Mandy.
>

Re: [users@httpd] Re: Running webserver as apache?

[j k <jo...@gmail.com>]

On Fri, Apr 11, 2008 at 7:27 AM, <ch...@post.ch> wrote:

>  Hi Mandy,
>
> > I need to know if its a good idea to run webserver as
> > user 'apache', have all files in webroot owned by user
> > apache and perms 644?
>
> It's not exactly a good idea, but if you are in a situation
> where the advantage outweighs the problems, then go ahead.
>
> > Would this still mean that if server runs as apache
> > and it has read/write access, someone could take
> > advantage of loop holes on the site and overwrite
> > some files on our site?
>
> Simply speaking yes.
>
> You may also want to look into the mod_suexec.
>
> regs,
>
> Christian Folini
>
 Hi Christian,

could you point us to any discussion on this topic. I'm interested to know
the pros and cons.

Thanks
Jonny

AW: [users@httpd] Re: Running webserver as apache?

[ch...@post.ch]

Hi Mandy,
 
> I need to know if its a good idea to run webserver as
> user 'apache', have all files in webroot owned by user 
> apache and perms 644?
 
It's not exactly a good idea, but if you are in a situation 
where the advantage outweighs the problems, then go ahead.
 
> Would this still mean that if server runs as apache 
> and it has read/write access, someone could take 
> advantage of loop holes on the site and overwrite 
> some files on our site?
 
Simply speaking yes.
 
You may also want to look into the mod_suexec.
 
regs,
 
Christian Folini