[4997] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Apr 8 10:23:51 1997
To: Christopher Petrilli <petrilli@amber.org>
Date: Tue, 8 Apr 1997 12:19:45 +0100 (BST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: riddle@is.rice.edu, rjc@n2k.com, www-security@ns2.rutgers.edu
In-Reply-To: <199704071300.JAA08543@chaos.amber.org> from "Christopher Petrilli" at Apr 7, 97 08:57:10 am
Reply-To: ben@algroup.co.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Christopher Petrilli wrote:
> Apache is definately not "less safe" than NSCA, but nor is it necessarily
> more safe. It does seem to have a more active base of developers, but
> whether that is good or bad is something else entirely.
>
> If you're running it, I would recommend you run an absolute minimal
> server on port 80, an run the rest on a totally untrusted port, like
> 8080, thereby elimanting the need to even start the server as root. This
> would at least restrict the damage that could be done.
Apache runs a single process as root, which opens the port and then becomes
another user, then forks the listening processes. The root process never
interacts with the network, and its interaction with the other processes is
limited to counting, killing and creating them. So, I can't really see what
this precuation buys you.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
