I think it's a little bit paranoia to say you may not run PHP. I find it weird CGI is OK, but PHP isn't... Both are dangerous for your system when they are not administered well. Apache has one parent-instance owned by root. The child-rpocesses are run from the account you specified. I wouldn't worry about that.
A lot of security related issues depend on how you use your machine. Is it a webserver, or a personal desktop PC ? In the second case, do you have a permanent internet connection ? Is there a router or firewall in between ? ... Maybe you want to read some information about IPtables... ? Steven On Sat, 2003-06-07 at 19:31, JoeHill wrote: > I read the "Seven Deadly Sins" of Linux security, and one item concerns > me: > > "On Toxen's "don'ts" list: Don't use PHP, even though it's convenient. > Don't run DNS, auth (ident) or Apache as root. But, do use suEXEC, a > tool first introduced in Apache 1.2, that increases security by allowing > users to develop and run private CGI or SSI programs." > > I will look into suEXEC, but I see that on my server, httpd2 is run by > apache, except for *one* httpd2 process that is run as root. Is > that necessary, and if not, can I kill it? > > Also, why would PHP be a security risk? because it is executed on the > server and not on the client's browser...?
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com