LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   safest way to run apache (https://www.linuxquestions.org/questions/linux-newbie-8/safest-way-to-run-apache-189554/)

PennyroyalFrog 06-04-2004 02:14 AM
safest way to run apache
 
What's the safest way to run apache, is there a way to run it not as root? make a user with privliges that allow it to start httpd but not enough where if apache is compromised a hacker can do harm to your computer? i still consider myself a linux newbie and probably will for a long time so keep that in mind ;) . Thanks in advance.

bruno buys 06-04-2004 07:56 AM
Well, apacheīs security isnīt root related, I guess. But I can be wrong. If you configure properly the httpd.conf file, apache will do ok. Also, you may wish to run a firewall.
There are several config options in httpd.conf, and many of them are security related. Take a good look in it, and read the docs. Iīm sure you can do a very secure http server by configuring this file.

Donboy 06-04-2004 08:11 AM
Yeah, there is really very little chance of apache being compromised... it's very secure. The user and group that apache runs as are specified in the httpd.conf file. You can put "nobody" for both of them, or you can make a user and group called "apache" and put that for both.

PennyroyalFrog 06-04-2004 04:13 PM
Okay I created a user/group and edited the httpd.conf file as such. I still need to start httpd as root though right?

About firewalls, I currently use firestarter, is there a special way to configure where it leaves public access to port 80 but blocks any unwanted activity through port 80?

Thanks.

Donboy 06-04-2004 08:14 PM
Yes, start apache as root. It will run as the user you specified in the conf file.

Sorry, no experience with firestarter.

Tuttle 06-04-2004 09:31 PM
Quote:
Originally posted by PennyroyalFrog
About firewalls, I currently use firestarter, is there a special way to configure where it leaves public access to port 80 but blocks any unwanted activity through port 80?
I recommend This little beauty. Once you get used to the config file (/etc/iptables-firewall.conf) it's a winner!

Kristijan 06-05-2004 01:55 AM
Also read up on chroot, its a wonderfull thing :) The url below works with Apache 1.3.x, but I'm sure you should be able to still do the same for Apache 2.x

http://www.linuxexposed.com/modules....rticle&sid=495

Donboy 06-05-2004 10:57 AM
Note that the method Kristijan recommended will not work with PHP or CGI or any other webscripting language. You may be better off using "suexec" which will work with these languages and will ensure that each user's webspace is running as their user and group. Since you're running Redhat (noted in your profile) it is fairly easy to setup suexec.


All times are GMT -5. The time now is 05:21 AM.