?
Solved

Apache Security Query

Posted on 2006-06-21
6
Medium Priority
?
259 Views
Last Modified: 2010-03-04
What are the implications of the Apache web server being owned by anyone other than root or the apache user?

Our Oracle DBA has setup apache to run as the Oracle user so when I do a grep for httpd processes they are all owned by the oracle user.

On our other system I have set it up so that sudo allows the oracle user to start and stop the apache processes, but when they are started, they are done so under the apache users ID. Is this method OK in terms of security?
0
Comment
Question by:Grass-hopper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
flashwebhost earned 400 total points
ID: 16982203
You can run Apache as any user other than root.

Running Apache as oracle user is insecure as Apache get access to files owned by oracle. Better run apache as its own user like apache, www, httpd, etc...
0
 
LVL 16

Expert Comment

by:xDamox
ID: 17001880
Hi,

You said it starts up under the apache user ID this is much more secure than running it as Oracle user as flashwebhost said. The apache account
will normally have the following shell /sbin/nologin or /bin/flase depending on your distrobution. These to shells stop users from logging into your
machine as they are not valid shells.
0
 

Author Comment

by:Grass-hopper
ID: 17001972
flash - why is it better to run as apache? - suppose what I'm asking is what makes the apache user more likely to get hacked than say the Oracle user itself?
0
 
LVL 16

Assisted Solution

by:xDamox
xDamox earned 400 total points
ID: 17002306
Grass-hopper,

Have a look in the /etc/passwd file and see if the user Oracle has a shell e.g. /bin/bash also if you set youre Apache webserver to run as the user
apache this will stop more data being gathered by a cracker. As the user Oracle will have access to all data.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question