[CLUE-Tech] Apache on Debian
Timothy C. Klein
teece at silverklein.net
Sat Nov 2 10:53:14 MST 2002
* Jed S. Baer (thag at frii.com) wrote:
> On Sat, 2 Nov 2002 10:15:39 -0700
> "Timothy C. Klein" <teece at silverklein.net> wrote:
>
> > This is from the file /usr/share/doc/apache/README.Debian
> >
> > "* The default webpages are owned by root.root by default (*not*
> > www-data.www-data), so hackers will have a harder time defacing the
> > site."
>
> > * Randy Arabie (randy at arabie.org) wrote:
> > >
> > > I'm trying to get the Apache + PHP + MySQL trifecta running on
> > > my debian (woody) box.
> > >
> > > The web root is /var/www and noticed things there are owned by
> > > root:root. Is that standard for debian? I've seen most other
> > > unices use another user, like apache:apache, www:www, or
> > > nobody:nobody.
>
> Interesting. I wonder how having the files owned by root makes it more
> difficult to deface the site. Presuming that ability to deface means
> you've been cracked, wouldn't it be better to get cracked as httpd:httpd
> or some such, than as root?
>
The apache daemon runs as var-www, and web hacks that come through
apache will come through as user var-www. So if the web pages are owned
by root, the cracker has to get root access after cracking the apache
webserver, or he won't be able to change any files.
Now, if the crackers gets root some other way, your web pages may be the
least of your concerns ... :-)
Tim
--
==============================================
== Timothy Klein || teece at silverklein.net ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================
More information about the clue-tech
mailing list