Re: Avoid while on line, apache & X as root?
- From: David Bolt <blacklist-me@xxxxxxxxxx>
- Date: Sun, 24 Jan 2010 13:08:39 +0000
On Saturday 23 Jan 2010 22:54, while playing with a tin of spray paint,
script||die painted this mural:
Someone told me that it was unsafe to run apache intended for use as a
local web server while on line (I don't know networking).
Apache itself shouldn't be an issue. Even having lots of php pages,
something that can be very insecure, won't be much of an issue. What
would be an issue is where the pages take user input, either through
GET or POST form data, don't validate/sanitise that data, and then use
it to perform some other actions. This is the most common security
issue with web servers run on the public net.
However, as others mention, if you're behind a NAT router[0] that
hasn't been set up to do port forwarding, it doesn't matter one bit.
Without the web server making some form of request, the router wouldn't
know where to send traffic aimed at port 80, and so it would be either
dropped or rejected. Of course, that doesn't mean you shouldn't care
about security but, without that forwarding, your web server won't be
accessible from outside your local network.
Also that it was unsafe to run X as root. I think this one makes sense,
but why would it be unsafe if not online and if the system is backed up?
I've never had problems running X as root, since that's what it
actually runs as. You can easily see this by looking to find out what
the PID for Xorg is, in my present case it's 27874, and then looking at
the ownership of the files inside /proc/$PID . On all my machines, the
ownership is root.root. Of course, this isn't entirely true. X starts
as root but, when you log in to your desktop, it drops privileges to
run as the user for the duration of the session.
As for running a desktop as root, it's been a long time since I've done
that. At the time, I was also hearing the same "it's a bad thing to do"
that you've heard and, I do agree with it that it is a bad thing to do.
There's too much chance to break things, even if you're careful, so
it's best not to take the risk
The main problem with it is when you are having to perform diagnostics
to try and find out why a desktop won't start. In this case, the common
method is to start from runlevel 3 and use startx to get X started.
This would be find as a normal user, and possibly so when logged is as
root. The big problem is when people use su to become root but forget
to use the "su -" form. Without that '-' , su will leave the normal
users environment alone and just elevate the privileges, which means
all those files that X reads and writes end up in the users home but
owned as root. And then, next time they try logging in, X won't read
them because the user doesn't have permission, and then the fun really
starts in trying to find out why it works as root but not as that user.
I learnt this hard way, many years ago, but also learnt the simple cure
for for it:
chown -R $user.users /home/$user
which changes the ownership of any files under a users home directory
back to that user.
[0] This is the most common configuration for a router. In this case,
your machine(s) have a private IP address, which usually is in the
192.168.0.1 - 192.168.255.254 range[1], and the router forwards traffic
from the public IP, which the router is assigned, to the private IP
that requested the traffic. The other arrangement for routers is to be
in bridged-mode, where your machine gets the external IP address and
the router acts as a bridge, passing all the traffic straight to you
and leaving your machine to do all the firewalling, etc.
[1] It may also be in the 10.0.0.1-10.255.255.254 or
172.16.0.0-172.31.255.254 ranges, depending on the manufacturer of the
router.
Regards,
David Bolt
--
Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
openSUSE 11.0 32b | | | openSUSE 11.3M0 32b
openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
.
- Follow-Ups:
- Re: Avoid while on line, apache & X as root?
- From: script||die
- Re: Avoid while on line, apache & X as root?
- References:
- Avoid while on line, apache & X as root?
- From: script||die
- Avoid while on line, apache & X as root?
- Prev by Date: Re: Burner
- Next by Date: Re: Burner
- Previous by thread: Re: Avoid while on line, apache & X as root?
- Next by thread: Re: Avoid while on line, apache & X as root?
- Index(es):
Relevant Pages
|
