[5001] in WWW Security List Archive
Re: Security issues in Apache?
daemon@ATHENA.MIT.EDU (Andreas Jung)
Tue Apr 8 17:49:37 1997
Date: Tue, 8 Apr 1997 18:26:06 +0200 (MET DST)
From: Andreas Jung <ajung@sz-sb.de>
Reply-To: Andreas Jung <ajung@sz-sb.de>
To: Christopher Petrilli <petrilli@amber.org>
cc: Prentiss Riddle <riddle@is.rice.edu>, Richard Costine <rjc@n2k.com>,
www-security@ns2.rutgers.edu
In-Reply-To: <199704071300.JAA08543@chaos.amber.org>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 7 Apr 1997, Christopher Petrilli wrote:
>
> If you're running it, I would recommend you run an absolute minimal
> server on port 80, an run the rest on a totally untrusted port, like
> 8080, thereby elimanting the need to even start the server as root. This
> would at least restrict the damage that could be done.
>
There is absolutely no need to worry about when you are running
a web server on port 80. Sure the server must be started as root, however
every "normal" web adminstrator changes the user/group of the process to
nobody or a dedicated account with less rights. However running a server
as root is foolish :-)
Best regards
Andreas
