Aaron Kulkis wrote: > Sloan wrote: >> Aaron Kulkis wrote: >>> If, say, apache has a flaw that allows a shell to be forked off, and >>> apache is running as root, then there you go: root shell. >> >> I'm certain that suse has never shipped a distro where apache runs as >> root. > > Not by default, but that doesn't mean much. > > Try this: > > $ su > password > # /etc/init.d/apache start > > That's just one of many ways to start apache as root. If the person > setting up a website was reading a book written by someone > who is relatively clueless, then you have a situation which > can best be described as "The blind leading the naked."
No, that's how it normally starts - apache starts as root, binds to port 80, then drops privileges as it becomes the apache user (wwwrun on suse) The clueless would have to be more persistent and clever than that, to make apache run as root. Sure, it's possible to make that happen, but there is no plausible way that a noob could accidentally cause apache to run as root. Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
