Classnotes | UNIX03 | RecentChanges | Preferences Showing revision 2 As we learned in UNIX02/Apache Configuration, Apache's configuration files are typically located in /etc/httpd/conf or /etc/apache/conf. The main configuration file (and the one we will be concerned with today) is httpd.conf.
We will now examine some specific problems and fixes with respect to security under Apache.
Apache Ownership and Permissions
Traditionally, Apache opens the web-server on port 80. Because this port is under 1024, Apache must be started as root so that it may open the privileged TCP port. Thus, many people (and many UNIXes) setup Apache to run as root in spite of the grevious security concerns this will cause. (This is one of the reasons that some server administrators run httpd on port 8080.)
The desired setup (and the way that many Linux and BSD distributions default to) is to start Apache as root, and then switch to a non-privileged user after the initial port as been openned. The two most common choices for users to set Apache up as are nobody and httpd. The one consideration is to ensure that whomever Apache is set up as only service using that UID on the system (thus, if you do use nobody, make certain that no other daemon is running as it as well).