[techtalk] Running Apache as Root.

[Seageraves Caren]

Hi,

I have programmed for nearly a decade now in a UNIX
environment, but recently made the switch from writing
modeling programs to writing servlets and other server
side code.  I have been reading discussions on this
list for a while and it seems likely that one of the
articulate people who write here might be able to help
me.  Here is my problem.

I inherited a module for Apache that requires Apache
to be run as Root. (mod_admin) While this has not been
a problem in the current use of the module, it could
be a problem if this module is ever run on a server
that comes in contact with the real world.

Apache runs as Root because the mod_admin does
administrative tasks on the server that require root
permissions.  Client machines can request these tasks
via https.  Apache + this module is generally run on a
Linux box, though there is a reasonable chance it will
be ported to a solaris box.  I have two questions
about this.

1) How vulnerable is this server?   All of the
standard things have been done to make this a secure
server.  Unneeded modules have been removed,
server-side includes have been disabled, as have CGIs.


2) Would the server be less vulnerable if I ran Apache
as something other than root, and set up a pipe to
another process on the server that performs the
administrative task and runs as root?  I tend to think
it would be because then the code base that I was
using when I was running as Root would not be as
widely known.  

Thank you in advance for your answers and thank you
for teaching me so much about Linux in the last few
months.

Caren
 


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/