fedora-list Digest, Vol 5, Issue 104

[Scot L. Harris]

On Thu, 2004-07-08 at 22:35, Michael Sullivan wrote:
> Can you clarify what "_RUN_ the web server" means?  My current practice
> is this:  The only way I work on my server PC is through ssh from a
> client computer because my server PC doesn't have a monitor hooked up to
> it.  Anyway, I log in as root and the very first thing I do is "service
> httpd stop".  I go about doing whatever task I have to do in that
> session and then I say, "service httpd start; exit".  Are you saying
> that I don't have to have Apache stopped while I'm logged in as root, or
> are you saying I shouldn't stay logged in as root after I issue "service
> httpd start"?

You do not need to stop apache when you login as root.

What he was saying is don't execute the httpd program with root's
permissions.  If httpd is running with root permissions and someone
finds a way to exploit httpd they would then have root level permissions
on your server.  httpd should be running as apache or nobody.  Do a ps
-eaf | grep httpd to see what user it is running as.

You can login to the server as root to perform maintenance.  

Using ssh as you describe is excellent.  I would suggest you disable
root login access to ssh.  That means you would login as a normal user
then you can use su - to get root level permissions.  This prevents
someone from loging in directly as root and it gives you a log that
tells you who logged in and su'ed to root.

To disable root ssh access edit the /etc/ssh/sshd_config file and set
the PermitRootLogin no option.

This will keep root from using any of the ssh type commands including
ssh and scp.  

By doing this someone has to have access to a user account and the root
password in order to own the server.
-- 
Scot L. Harris
webid at cfl.rr.com

All intelligent species own cats.