IP Networking

If you read my posts you will see that no one is advocating running Apache as root and I have NO idea why you posted your reply.

Apache can be run as 'nobody' and it can be run as other users, like the example I gave, a 'mysql' user. This is not root.

The question about DOCUMENTROOT has ZERO to do with the user ID root.

This thread was about DOCUMENT ROOT (read the original post) and give me a break

In fact, the original poster specified that his web server ran as:

wwwrun

.... so 'wwwrun' is the userid that Apache will run when subsequent connection are made.... 'wwwrun' is not root

I wasn't saying anyone was running it as root. I was simply saying that leaving the default permissions where only root had write access was more secure. However, we all seemed to trail from that... I was simply saying that the document root was more secure when ONLY root had read/write (unless software that dynamically edits the website is used, like wiki). Let's let this discussion die

I'm glad to let the thread die, but I don't agree that making sure only 'root' has write access is necessarily more secure.

It might be more secure, or it might not, depending on how the system is configured and what are the files, the permissions, and a host of other things.

We have web servers that runs as user 'foo' and the entire filesystem under document DocumentRoot is owned by 'foo' and I'm very happy with the security and would not change it.


'foo' can have a shell like /dev/null and be very secure too and there is no chance of any script executing as 'root' with an accidental SUID flag, etc.

This is off topic from the original post, but it is something that is important. DocumentRoot with Apache and the userid of the listening process can be a host of userids, that is why it is configurable in Apache.


Neo

I'll take that as a comprimise. 'Nuff said