[CLUE-Tech] Apache on Debian
Jed S. Baer
thag at frii.com
Sat Nov 2 11:05:25 MST 2002
On Sat, 2 Nov 2002 10:53:14 -0700
"Timothy C. Klein" <teece at silverklein.net> wrote:
> > "Timothy C. Klein" <teece at silverklein.net> wrote:
> >
> > > This is from the file /usr/share/doc/apache/README.Debian
> > >
> > > "* The default webpages are owned by root.root by default (*not*
> > > www-data.www-data), so hackers will have a harder time defacing
> > > the site."
> >
> > Interesting. I wonder how having the files owned by root makes it more
> > difficult to deface the site. Presuming that ability to deface means
> > you've been cracked, wouldn't it be better to get cracked as
> > httpd:httpd or some such, than as root?
> >
>
> The apache daemon runs as var-www, and web hacks that come through
> apache will come through as user var-www. So if the web pages are owned
> by root, the cracker has to get root access after cracking the apache
> webserver, or he won't be able to change any files.
Well, yes. I'd say their using root gives that description some aspect of
a red herring. It could, in fact, be any user other than that under which
the httpd processes are running. Using root makes one think "why should
those file be owned by *root*", as opposed to what they really intended.
jed
--
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5
More information about the clue-tech
mailing list