On 23 Jun 1997 [EMAIL PROTECTED] wrote: > it should run as a different user than root AND a different user than > the httpd it is supposed to configure. if it runs as root it's just a > question of time before someone severely compromises the machine. (I > know, I have cleaned up after several disasters of that flavor.)
Agreed. > > the configuration server should under no circumstances run as root. > the tasks you need to perform as root should be contained within > separate programs suid that do _nothing_ else than, start, stop, or > restart the server. > they should be as simple as possible and as paranoid as possible. > although I have great confidence in those who have written the Apache > httpd code, httpd is simply too much code and it is close to > impossible to be even remotely sure there is nothing that can be > exploited within it. The problem is that if you can modify the config files, then in most setups (ie. where Apache is started by root) you can get root. As simple as that. Running the admin server as a non-root UID just adds another step to the process of getting root.
