There is no problem here, your apache is setup correctly. The apache process must start as root so that it can bind to port 80, since you need root access to bind to one of the 'priveleged ports' below 1024. Apache then drops privileges it does this by forking off one or more child processes of itself which run under the apache (or www-data in your case) user. These child processes are the ones that handle the requests from web clients and the root process is effectively a 'stub' process in that its not doing anything.
The fact that these unpriveleged processes are descendents (ie. child, grand-child, great-grand-child etc.) processes of a root process doesn't lessen the security in any way. *ALL* processes on a Linux system are descendents of the 'init' process which runs as root. So the fact that your apache processes are children of a root process would no more enable them to assume root priveleges, even if compromised by a hacker, than I could use the fact that the firefox instance I'm using to write this is a child of the init process to assume root priveleges.
Last edited by tkedwards; 07-26-2005 at 08:11 PM.
|