On Fri, Oct 05, 2001 at 10:11:28AM -0500, Todd Gruhn's account wrote:
> 
> Several weeks a go I make a crack about the CODE RED worm -- someone
> mentioned that the webserver should not run with root perms and that
> it should run off an unprivelidged port.
> 
> I finally looked at my apache setup and noticed the following:
> 1) I am running it as root

The Apache parent process needs to run a root if you want the program
to use a privileged port.  The child processes can (and should) run as
an non-privrileged user.

> 2) I am running it behind IPF using keepstate rules
> 3) Due to 2 there is no problem here
> 
> If I am NOT PROVIDING service, how valid is the assumption in 3), would

Do you mean that you're not providing service to external users?  Because
if you're not providing service, what's the point of running the program?

> it be worth my time to use the rdr command in IPF to redirect/alias port
> 80 to say, port 8080 or 80080?

It would be easier and clearer to just configure Apache to use a 
non-privileged port.  The problem with the IPF redirect is that it's rather
obscure.  I can easily imagine someone else trying to re-configure Apache
on this machine and being completely stymied by the IPF re-direct working
silently in the backgound.

But if you're particularly concerned about security, you might consider
running Apache 'chroot'-ed.

David S.


> 
> Todd Gruhn
> 
> 
>