This is not fully the case: we see that we have a dedicated user and group in the httpd.conf file.
The directives are:
User apache
Group apache
And when the main process running as root is starting, it will put the port(s) in LISTEN mode, fork the main process into several sub-processes or threads, and only survey/monitor/manage the children processes (eventually spawning others).
Therefore, that main process will not be involved in handling one communication channel with a client.
One its side, a sub-process or thread, when started, will first give away the root rights and take the ones mentioned by the directives above. Only after that moment, it will accept a client connection.
Therefore, it's harmful to have that process running as root, because there are no client interactions.
That said, and for various reasons, some people are running the mail httpd process directly with a dedicated user. This implies that no privileged ports (port number less than 1024) need to be opened by the main httpd process.
The directives are:
User apache
Group apache
And when the main process running as root is starting, it will put the port(s) in LISTEN mode, fork the main process into several sub-processes or threads, and only survey/monitor/manage the children processes (eventually spawning others).
Therefore, that main process will not be involved in handling one communication channel with a client.
One its side, a sub-process or thread, when started, will first give away the root rights and take the ones mentioned by the directives above. Only after that moment, it will accept a client connection.
Therefore, it's harmful to have that process running as root, because there are no client interactions.
That said, and for various reasons, some people are running the mail httpd process directly with a dedicated user. This implies that no privileged ports (port number less than 1024) need to be opened by the main httpd process.
Hopefully that clarifies a bit that point.
Regards,
Fabien
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1786/1003#1003