September 27th, 2002, 09:49 PM
This may be very obvious but...
Recently with the Apache exploits i have seen people getting rooted because they install and run Apache as root. I thought that it was just wierd until i read about an article on securityfocus.com that stated the same-so i figured i would help out some of the people new to unix.
always install the server software like apache, ftp, cups, whatever as a seperate username ie user: apache. if you install it as root and you get exploited through apache then the attacker has control of your entire system as opposed to just apache.
hope this helps.
September 27th, 2002, 09:57 PM
Glad you posted it...I'm a newbie to *nix, so it helped me! Thanks.
Opinions are like
holes - everybody\'s got\'em.
September 28th, 2002, 08:19 PM
Generally a good idea but remember:
- Some daemons need to run as root to bind to ports and do other things (There is a way around this on Linux, I should investigate it). In particular any daemon which allows system users to login (sshd, ftp if configured as such) needs root.
- Allowing an attacker to compromise and unprivileged account is a really bad idea anyway because they can probably still do things you don't want them to (a user with access to the apache account can at the very *LEAST* carry out DOS attacks effectively, probably much more)
- Chroot is also a potentially effective way to protect daemons, but isn't completely secure either.