Thread: This may be very obvious but...

Recently with the Apache exploits i have seen people getting rooted because they install and run Apache as root. I thought that it was just wierd until i read about an article on securityfocus.com that stated the same-so i figured i would help out some of the people new to unix.

always install the server software like apache, ftp, cups, whatever as a seperate username ie user: apache. if you install it as root and you get exploited through apache then the attacker has control of your entire system as opposed to just apache.

hope this helps.

Generally a good idea but remember:

- Some daemons need to run as root to bind to ports and do other things (There is a way around this on Linux, I should investigate it). In particular any daemon which allows system users to login (sshd, ftp if configured as such) needs root.
- Allowing an attacker to compromise and unprivileged account is a really bad idea anyway because they can probably still do things you don't want them to (a user with access to the apache account can at the very *LEAST* carry out DOS attacks effectively, probably much more)
- Chroot is also a potentially effective way to protect daemons, but isn't completely secure either.