Working as root while Apache is running; how much a risk?

Jeff Vian jvian10 at charter.net
Fri Jul 9 13:53:27 UTC 2004


On Thu, 2004-07-08 at 21:56, Jorge Fábregas wrote:
> On Thursday 08 July 2004 8:16 pm, Alan Horn wrote:
> 
> >  You should never _RUN_ the webserver as root
> 
> Hi,
> 
> How then you make Apache listen to port 80 (a port below 1024) as another user 
> other than root? ..since only root may use those ports below 1024.
> 
> Jorge
> 

No,

the daemon is started as root, but spawns child processes that drop root
privileges and run as apache.  see below:

root     10718  8.7  1.8 23504 9704 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10721  0.0  1.8 23504 9724 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10722  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10723  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10724  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10725  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10726  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10727  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
apache   10728  0.0  1.8 23504 9720 ?        S    08:45   0:00
/usr/sbin/httpd
r

The first is the parent that initially launches the process (the
'queen') and runs as root.  The others are the worker bees that handle
all requests, and the parent never handles an incoming request. All the
workers run as apache, only the 'queen' runs as root and all that
process does is monitor and control the others.  The ones running as
apache handle all requests and if they get compromised, they only have
the privileges of the user apache. 





More information about the fedora-list mailing list