Read: Building Secure High-Performance Web Services with OKWS

Hand-In Procedure

You are to turn in this homework during lecture. Please write up your answers to the exercises below and hand them in to a 6.828 staff member at the beginning of lecture.

OS Security and Web Server Security

Exercise 1 One of the biggest lessons in Unix security is that few if any servers should run as root. Justify.

Exercise 2 Maybe this paper is all wrong then. OKWS claims to be more secure than a comparable Apache configuration, but Apache runs all processes as nobody (or www depending on your OS/distribution) while OKWS runs certain components as root.

(a) Which parts of OKWS run as root?

(b) Why do they run as root?

(c) How does Apache avoid root?

(d) Which method seems more secure? (No right answer here).

This completes the homework.