Void's Forums

[Basher52]

i just saw that my daemon runs under root, and that aint good.

[root@FTP ~]# ps auxw|grep mysqld
root 9515 0.0 0.0 3940 608 pts/5 R+ 12:06 0:00 grep mysqld

i usually don't have mysqld autostart, i do that manually, well so far anyways.
so when i start it using: service mysqld start
it will run under root, can somehow i set it to run under another user and whats the best user for it?
'nobody' maybe?

(got the same problem with httpd too)

[Void Main]

The initial daemons need to be run under root, especially in the case of Apache. The reason Apache specifically needs to start as root is because it has to bind to a low port (ports 1024 and less are low ports) which require root level authority. However, this isn't all that bad because any time a new connection request is made a child process is spawned and run under a user with less than root authority. So when you do a process list and grep for all of the Apache processes you should see one running under root and the rest running under another ID:

Code: Select all

$ ps -ef | grep httpd
root      2499     1  0 Dec08 ?        00:00:01 /usr/sbin/httpd
apache   24070  2499  0 Dec10 ?        00:02:50 /usr/sbin/httpd
apache   24071  2499  0 Dec10 ?        00:02:41 /usr/sbin/httpd
apache   24072  2499  0 Dec10 ?        00:02:59 /usr/sbin/httpd
apache   24073  2499  0 Dec10 ?        00:02:39 /usr/sbin/httpd
apache   24074  2499  0 Dec10 ?        00:02:47 /usr/sbin/httpd
apache   24075  2499  0 Dec10 ?        00:03:10 /usr/sbin/httpd
apache   24076  2499  0 Dec10 ?        00:02:40 /usr/sbin/httpd
apache   24077  2499  0 Dec10 ?        00:03:00 /usr/sbin/httpd
apache    4711  2499  0 Dec10 ?        00:02:38 /usr/sbin/httpd
apache    4760  2499  0 Dec10 ?        00:02:27 /usr/sbin/httpd
apache    4817  2499  0 Dec10 ?        00:02:40 /usr/sbin/httpd
apache    4898  2499  0 Dec10 ?        00:02:41 /usr/sbin/httpd
apache   11193  2499  0 Dec10 ?        00:02:17 /usr/sbin/httpd
apache   16298  2499  0 Dec10 ?        00:01:53 /usr/sbin/httpd
apache   25532  2499  0 Dec10 ?        00:01:33 /usr/sbin/httpd
apache   23906  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23907  2499  0 07:11 ?        00:00:01 /usr/sbin/httpd
apache   23909  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23910  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
apache   23911  2499  0 07:11 ?        00:00:00 /usr/sbin/httpd
voidmain 24135 23973  0 07:16 pts/0    00:00:00 grep httpd


Notice the parent process for all fo the children is the one running as root.

[Basher52]

oh, hehe I wasnt smart enough to do 'ps' when i had made a connection to it, lol
well i do see the same as you, it suns the new processes under 'apache', then i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
I have made this already in my testing and it works, but i havent found any data telling me that this is a good thing or not.

[Void Main]

i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.

Absolutely not. That's the absolute worst thing you can do for security. The funny part about this is I have seen tutorials that tell you to do just that. I have to send the authors of such tutorials messages ripping them a new one when I see it.

Think about what happens if someone were to exploit a buffer overflow in your Apache daemon and gain a shell. Or even easier, exploit a vulnerability in one of your many PHP or any other CGI script. What UserID will this shell be running under? That's right, the user "apache". Now, if you are logged on as the user "apache" what files and directories can you write to and what files can't you write to? Obviously anything owned by the user "apache" is fair game and expect a defacing right off the bat, if you're lucky that is. So believe it or not it is *most* secure if the directories/files are owned by root and only have read permission wherever possible. Give the minimum amount of permissions that you possibly can.

To tell you the truth I usually set the ownership to my personal local user account (e.g. voidmain) on directories that I personally want to work. That way I can log on as user voidmain and make any changes necessary to files in my web directories and not have to switch user to root, AND the apache user doesn't have permission to write/change anything. That's probably the optimal way to do it.

So most directories are set owner:group voidmain:voidmain and rwxr-xr-x and most files are voidmain:voidmain rw-r--r--. In this case someone would have to either get access to my local "voidmain" account or "root" before anything could be changed. I really prefer to set my machines up so I don't have to become root for normal development/web type stuff.

[Basher52]

very informative post thanks for clearing this up.
when i "prod" this i will for certain chown the dirs/files to a "normal" user as you said