Jump to content

Compiling Apache as root


inTheDMZ
 Share

Recommended Posts

You should never need root permissions to compile any application. If you're compiling as the root user you're doing it wrong.

Compiling as root or installing and running as root? Can't you compile as root but install an app as a low level user or its own user group? VLC for example, doesn't want to install as root and usually gives a warning, but I hear what you are saying.

@the op, if Apache is running as root, and all files on the web server are running as root, instead of say, www-data or apache-www, then any attack that compromises the web server, has root permissions. Just something to think about before you deploy and setup Apache.

Link to comment
Share on other sites

Got this all sorted now, configured and compiled using the DBIG security hole option, this is a internal webserver for a university project so security isn't a issue, only access will be plugging it in physically.

Needs root permissions to do iptable manipulation and access rc.local/ root cronjobs etc etc

Link to comment
Share on other sites

"An internal webserver for a university project so security isn't a issue" sounds like tempting fate to me. :)

Personally I would have created a few setuid executables that would make the required changes and then have your CGI scripts call these to do the work that requires root permissions. You could then have your CGI scripts validating your inputs from the web and processing them in to the inputs for your executables. Your executables can then validate the inputs passed to them before processing them. That way someone would have to break through your CGI scripts and then through your setuid executables.

Link to comment
Share on other sites

Compiling as root or installing and running as root? Can't you compile as root but install an app as a low level user or its own user group? VLC for example, doesn't want to install as root and usually gives a warning, but I hear what you are saying.

@the op, if Apache is running as root, and all files on the web server are running as root, instead of say, www-data or apache-www, then any attack that compromises the web server, has root permissions. Just something to think about before you deploy and setup Apache.

You should never need root permissions to COMPILE an application. You typically need root permission to install it globally on the system (eg, to write files to /bin or /usr/bin), and you might need root permissions to run the application (typically servers on ports <1024 will be started as root and then drop privileges to 'nobody' or 'www-data' or similar). However COMPILING should never require root permission. When you're compiling the application you're just translating from the source form to the binary form, there is nothing happening in that translation that would justify needing root permissions.
Link to comment
Share on other sites

You should never need root permissions to COMPILE an application. You typically need root permission to install it globally on the system (eg, to write files to /bin or /usr/bin), and you might need root permissions to run the application (typically servers on ports <1024 will be started as root and then drop privileges to 'nobody' or 'www-data' or similar). However COMPILING should never require root permission. When you're compiling the application you're just translating from the source form to the binary form, there is nothing happening in that translation that would justify needing root permissions.

I like that answer of why, more than just telling him hes doing it wrong.

:)

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...