I'm rusty on the technical stuff these days but we have an issue a client co. that is causing headaches as we can't get a straight answer from the supplier.
They have configured the HTTP server running on RHEL to run as Root. This has always been a no-no for me as it means that anyone compromising the server gains Root access to the box it's running on. The excuse given is that you can't bind privileged ports <1024 to non-root services.
Back when I was still configuring these things the Root user would kick off the HTTPd Daemon which would start the HTTP server under it's own user ID, bind the ports and then exit dropping root privileges in the process, leaving the HTTP server to run under it's own ID with access to port 80,443 etc.
Has this changed or am I remembering it i wrong after all this time?
They have configured the HTTP server running on RHEL to run as Root. This has always been a no-no for me as it means that anyone compromising the server gains Root access to the box it's running on. The excuse given is that you can't bind privileged ports <1024 to non-root services.
Back when I was still configuring these things the Root user would kick off the HTTPd Daemon which would start the HTTP server under it's own user ID, bind the ports and then exit dropping root privileges in the process, leaving the HTTP server to run under it's own ID with access to port 80,443 etc.
Has this changed or am I remembering it i wrong after all this time?
Comment