Installing Apache - best practice? - Linux Setup, Configuration & Administration

[Dave]

Hey all,

Just curious on your thoughts.. Is it better for me to run apache as
Redhat installs it? Or is it best to download the software and create a
user account for it? Any security implications of either method?

Right now I just downloaded the software and started it up as root. ps
shows it running as nobody. Currently just for testing but before I make
it available I want to make it as secure as possible.

Thanks

--
----
ca
"Thanks to the remote control I have the attention span of a gerbil!"
"There are 10 types of people in the world. Those who understand binary,
and those who don't."

[Davide]

Dave Best <ca> wrote: 

If you want apache to run on port 80 he have to start as root, then he
switch to "nobody", so there is no reason or way to run it on a different
user account unless you run it on port > 1024.

Davide

[Nico]

Dave Best wrote:
 

Apache integrates things into their environment, putting things in /var,
setting uup config files in /etc/httpd, creating an apache user, etc.
Also, when security or performance updates happen, the RPM tools will
find and replace all the old binaries and widgets more gracefully than
having to delete and re-install by hand: it makes upgrading and
downgrading a lot less painful, like any other decent package manager.
The RPM's also separate the quite large manual and the development kit
into separate packages, so you don't have to install them if you don't
want them.

Unless you absolutely need the latest version, I'd stick with a more
stable and tested RPM release for your OS version.

[Michael]

On Fri, 03 Oct 2003 08:22:04 -0400, Nico Kadel-Garcia
<net> wrote:
 
>
>Apache integrates things into their environment, putting things in /var,
>setting uup config files in /etc/httpd, creating an apache user, etc.
>Also, when security or performance updates happen, the RPM tools will
>find and replace all the old binaries and widgets more gracefully than
>having to delete and re-install by hand: it makes upgrading and
>downgrading a lot less painful, like any other decent package manager.
>The RPM's also separate the quite large manual and the development kit
>into separate packages, so you don't have to install them if you don't
>want them.
>
>Unless you absolutely need the latest version, I'd stick with a more
>stable and tested RPM release for your OS version.[/ref]


That's how it should work in theory.. Redhat is really terrible about
getting updates out the door - up2date is a serious misnomer.

You may as well install the 'stock' configuration, it will simplify
your life when it comes time to upgrade/troubleshoot what you've got.
All the docs etc. will assume you've got a standard configuration, and
you'll waste a fair bit of time working out where the heck RH put
everything.

Apache is really a spectacular example of that - it took me half an
hour just to figure out where the httpd bin file was when I tried to
go from 2.0.40 to 2.0.47! RH is still calling 2.0.40 the latest, btw
- and there's a TON of fixes in between 40 and 47...

Mike-

Mornings: Evolution in action. Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com. If
email from you bounces, try non-HTML, non-encoded,
non-attachments.


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

[Nico]

Michael W. e wrote:
 
>>
>>Apache integrates things into their environment, putting things in /var,
>>setting uup config files in /etc/httpd, creating an apache user, etc.
>>Also, when security or performance updates happen, the RPM tools will
>>find and replace all the old binaries and widgets more gracefully than
>>having to delete and re-install by hand: it makes upgrading and
>>downgrading a lot less painful, like any other decent package manager.
>>The RPM's also separate the quite large manual and the development kit
>>into separate packages, so you don't have to install them if you don't
>>want them.
>>
>>Unless you absolutely need the latest version, I'd stick with a more
>>stable and tested RPM release for your OS version.[/ref]
>
>
>
> That's how it should work in theory.. Redhat is really terrible about
> getting updates out the door - up2date is a serious misnomer.[/ref]

They're good about security updates, and the bleeding edge stuff is
usally over in the "rawhide" repositories. The problem with bleeding
edge software is that it isn't stable, and they move things around. It
may not interoperate correctly with old setups, and they have to be
repaired by hand: this was a serious issue with OpenSSH when they added
the PrivSep stuff.
 

They don't call it "the latest". It's their latest release, which means
it's been at least nominally tested. There are a lot of interactions
between Apache, perl modules, mod_* packages, etc. and updating
willy-nilly to different releases is asking to break your production
website.

It's necessary sometimes, and I'm someone who beta tests a lot of new
packages out of rawhide so that the blood from the bleeding edge
software comes from my scarred hide rather than my users. But it's a
risk you need to be aware of. (Ask about the ACPI kernel patches
sometime....)

[Michael]

On Sat, 04 Oct 2003 10:14:04 -0400, Nico Kadel-Garcia
<net> wrote:

[snipped]
 
>
>They're good about security updates, and the bleeding edge stuff is
>usally over in the "rawhide" repositories. The problem with bleeding
>edge software is that it isn't stable, and they move things around. It
>may not interoperate correctly with old setups, and they have to be
>repaired by hand: this was a serious issue with OpenSSH when they added
>the PrivSep stuff.[/ref]

Quite true - but the OP asked about Apache, not SSH.
 
>
>They don't call it "the latest". It's their latest release, which means
>it's been at least nominally tested. There are a lot of interactions
>between Apache, perl modules, mod_* packages, etc. and updating
>willy-nilly to different releases is asking to break your production
>website.[/ref]

You need to read the changelog for Apache... I'm a lot more
concerned with running some of the security issues in 2.0.40. You're
absolutely correct about the module problems, btw, especially PHP -
but you should STILL read the changelog for apache....

 

I don't think I've ever used rawhide in my life - I tend to go to the
authors/packages web site, download the code in whatever form, and
join the mailing list. The only major headache I've ever had is with
mod_php, because they cannot leave the variable passing conventions
alone for 2 consecutive revs. They're going to kill that language if
they don't get their acts together...

But I digress -

Mike-

Mornings: Evolution in action. Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com. If
email from you bounces, try non-HTML, non-encoded,
non-attachments.


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---