When I run this command, I get one instance that is running as root.
As I understand it that is bad for safety reasons, right? How do I
change it?

apache2 mpm-worker kubuntu 8.04 64 bit.

$ ps auwwfx | grep apache

root 6758 0.0 0.2 123240 5240 ? Ss 19:13 0:00
/usr/sbin/apache2 -k start
www-data 6759 0.0 0.1 121860 2344 ? S 19:13 0:00 \_
/usr/sbin/apache2 -k start
www-data 6768 0.0 0.2 346636 4568 ? Sl 19:13 0:00 \_
/usr/sbin/apache2 -k start
www-data 6771 0.0 0.2 346636 4572 ? Sl 19:13 0:00 \_
/usr/sbin/apache2 -k start
douglas 13852 0.0 0.0 5164 832 pts/1 S+ 21:29 0:00 |
\_ grep apache

--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users

On Fri, Aug 1, 2008 at 9:34 PM, Knapp <magick.crow@gmail.com> wrote:
> When I run this command, I get one instance that is running as root.
> As I understand it that is bad for safety reasons, right? How do I
> change it?
>
> apache2 mpm-worker kubuntu 8.04 64 bit.
>
> $ ps auwwfx | grep apache
>
> root 6758 0.0 0.2 123240 5240 ? Ss 19:13 0:00
> /usr/sbin/apache2 -k start
> www-data 6759 0.0 0.1 121860 2344 ? S 19:13 0:00 \_
> /usr/sbin/apache2 -k start
That's normal behaviour. One root process has to be there since
privileged ports have to be opened (port 80 the most prominent).
Subsequent processes that actually serve the content are then spawned
www-data owned.
--
Greetings,
Gordon.

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users

On Fri, Aug 1, 2008 at 9:51 PM, Gordon Schulz <gordon.schulz@gmail.com> wrote:
> On Fri, Aug 1, 2008 at 9:34 PM, Knapp <magick.crow@gmail.com> wrote:
>> When I run this command, I get one instance that is running as root.
>> As I understand it that is bad for safety reasons, right? How do I
>> change it?
>>
>> apache2 mpm-worker kubuntu 8.04 64 bit.
>>
>> $ ps auwwfx | grep apache
>>
>> root 6758 0.0 0.2 123240 5240 ? Ss 19:13 0:00
>> /usr/sbin/apache2 -k start
>> www-data 6759 0.0 0.1 121860 2344 ? S 19:13 0:00 \_
>> /usr/sbin/apache2 -k start
> That's normal behaviour. One root process has to be there since
> privileged ports have to be opened (port 80 the most prominent).
> Subsequent processes that actually serve the content are then spawned
> www-data owned.
> --
> Greetings,
> Gordon.

Thanks, that is nice to hear. Is there anything else that needs fixing
in the basic install to make thing as safe as can be? I am running
firestarter and only have port 80 open an a few others for torrents
and what not. Port 22 is closed, sure gets hit a lot!


--
Douglas E Knapp

http://sf-journey-creations.wikispot.org/Front_Page

--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users

> Thanks, that is nice to hear. Is there anything else that needs fixing
> in the basic install to make thing as safe as can be? I am running
> firestarter and only have port 80 open an a few others for torrents
> and what not. Port 22 is closed, sure gets hit a lot!
>
>
>


One thing I like to do is limit the server 'tokens'. Doesn't do much
for safety, but having the server report every enabled option and its
version along with your OS type and version is not a good idea IMO
(Makes scripting attacks looking in the header easy if an exploit for a
certain version/OS is found). You can understand what I am talking
about goto http://www.grc.com/id/idserve.htm This utility only works
in windows though... I have never seen a linux version and this doesn't
seem to work right in wine...

The section in the apache2.conf file is:

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Minor


I set mine on 'Minor' although for the truly paranoid 'Prod' would be better

Also remove any symbolic links from the mods enabled directory for
anything you will not use... And I usually have to enable the mod for
ssl (For https: access)

A quicker way to manage these symbolic links are the a2enmod and
a2dismod commands.



--
kubuntu-users mailing list
kubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-users