On Sun, 27 May 2001, Carrie Bartkowiak wrote:
> > well, it's not a system file so in my opinion it can be erased.
> > what I do wonder about is the owner of the file, that is, root.
> > it isn't a customer cgi script. unless your httpd runs as root (i
> hope
> > not!!!!),
>
> When I do a 'top', I get a bunch of httpd running as root. (!?)
> Mostly they run as httpd, but there are a number of them running as
> root, on both RaQ4 boxes.
> Don't blame me, I didn't do it... *grin*
> Guess it's a Cobalt thing.
>
> > so it's either something the GUI did, or you did. or someone who
> > has root did :\
>
> I'm thinking maybe this person used the GUI to backup their site, and
> this was a temporary dumping station or backup buffer for it?
> Either way, I just removed it after reading your letter and nothing
> fell over, so I suppose I'm good to go. ;)
> Thanks!
>
> CarrieB
Well, I was pretty sure nothing will happen, though this looks like a
weird filename for backup.
Regarding httpd, yes, that's correct. You should have two httpd processes
running as root (at least)
which are the admserv and the normal httpd listening on port 80 and 81.
they must run as root for a very simple reason - normal users can't listen
on ports 1-1024. (or 1023, i'm not sure, anyhow it's within range)
when the connection arrives, the httpd server "gives birth" to a "child
process", in the normal httpd case, the child is using the httpd user, as
it needs to priviliges, but, on the other httpd, the admserv, the http
server must have access to modify files only root can. So basically,
you'll always see two httpds running root like this:
[shimi@www shimi]$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 650 0.0 0.1 6880 72 ? S May08 0:01 /usr/sbin/httpd -f
/etc/admserv/conf/httpd.conf
root 725 0.0 0.1 16628 92 ? S May08 0:09 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
another some like the first one, depends on how many users are there on
the admserv (notice that apache leaves several running at a minimum, so
they'll be available to reply to requests immediately, instead of spawning
a new child when the connection comes, what takes time, even minimal. the
minimal instances of httpd running can be changed in the conf, as well as
the maximal one [when people get http server too busy, i think])
as well as another some for the normal httpd, which then looks like this:
httpd 3644 0.0 4.8 17056 3084 ? S 02:51 0:00 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
httpd 4180 0.0 2.5 16688 1616 ? S 03:03 0:00 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
httpd 4222 0.0 4.6 17056 2952 ? S 03:04 0:00 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
httpd 4332 0.0 5.0 17064 3156 ? S 03:07 0:00 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
httpd 4333 0.0 2.4 16688 1564 ? S 03:07 0:00 /usr/sbin/httpd -f
/etc/httpd/conf/httpd.conf
you can see that they were spawned at different times (when old instances
died)
in short, as long as you have only one httpd with -f /etc/httpd/conf/httpd.conf,
there's really nothing to worry about :-)
- shimi.
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
