web file permissions (was: Working as root while Apache is running; how much a risk?)

[Jack Bowling]

On Fri, Jul 09, 2004 at 12:47:15PM -0400, Wayne Leutwyler wrote:
> Try this:
> 
> ps -ef | grep httpd
> 
> What you should see is something like below:
> 
> apache   10423  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10424  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10425  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10426  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10427  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10428  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10429  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> apache   10430  1125  0 04:02 ?        00:00:00 /usr/sbin/httpd
> -DHAVE_ACCESS -D
> 
> Now if you see root where apache is that means your httpd server was
> started by the root user. You should change that ASAP.  As you can see
> in my example my httpd server was started by the apache user. 
> 
> I hope this example helps. 
> 
> Bottom line is that you can log into your server as root and you dont
> have to stop the httpd server if the process or processes are owned by
> the apache user.

Yes, this is heinous thread hijacking but it's at least tangentially related
to the former subject. What are the thoughts on permissions, including ownership, for files and directories residing on a webserver? Should they all be apache, i.e., the same owner as the running process? Or would that just make it easier for the perp to change files if they managed to usurp the running process? Maybe a totally different unprivileged user?

Myself, I make all my web files owned by nobody and the running process
owned by apache. All static files have 0400 permissions. Directories must
have 0755.

-- 
Jack Bowling
mailto: jbinpg at shaw.ca