Problems with DBIG_SECURITY_HOLE.

I want some scripts to have root access. To accomplish that, I want to
run my Apache2 as root. Here is the result:

login as: root
root@192.168.2.100's password: root
Last login: Fri Mar 7 16:27:22 2008
Linux ubuntu 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
<b>root@ubuntu:~# env CFLAGS="-DBIG_SECURITY_HOLE"</b>
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=192.168.0.100 1298 22
SSH_TTY=/dev/pts/0
USER=root
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:s o=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31; 01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex =01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=0 1;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:* .gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.ja r=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp =01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=0 1;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01 ;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01; 35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:* .xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*. mpc=01;35:*.ogg=01;35:*.wav=01;35:
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/
games
PWD=/root
LANG=sv_SE.UTF-8
SHLVL=1
HOME=/root
LOGNAME=root
SSH_CONNECTION=192.168.0.100 1298 192.168.2.100 22
LESSOPEN=| /usr/bin/lesspipe %s
LESSCLOSE=/usr/bin/lesspipe %s %s
_=/usr/bin/env
CFLAGS=-DBIG_SECURITY_HOLE
<b>root@ubuntu:~# apache2</b>
Syntax error on line 125 of /etc/apache2/apache2.conf:
Error:
Apache has not been designed to serve pages while
running as root. There are known race conditions that
will allow any local user to read any file on the system.
If you still desire to serve pages as root then
add -DBIG_SECURITY_HOLE to the CFLAGS env variable
and then rebuild the server.
It is strongly suggested that you instead modify the User
directive in your httpd.conf file to list a non-root
user.
<b>root@ubuntu:~#</b>

"sebastian nielsen" <nielsen.sebastian@gmail.com> wrote in message
news:7e909587-273b-466a-928b-90d219bc06e5@m44g2000hsc.googlegroups.com...
>I want some scripts to have root access. To accomplish that, I want to
> run my Apache2 as root. Here is the result:
>
> login as: root
> root@192.168.2.100's password: root
> Last login: Fri Mar 7 16:27:22 2008
> Linux ubuntu 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
>
> The programs included with the Ubuntu system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
> applicable law.
> root@ubuntu:~# env CFLAGS="-DBIG_SECURITY_HOLE"
<SNIP>
> root@ubuntu:~# apache2
> Syntax error on line 125 of /etc/apache2/apache2.conf:
> Error:
> Apache has not been designed to serve pages while
> running as root. There are known race conditions that
> will allow any local user to read any file on the system.
> If you still desire to serve pages as root then
> add -DBIG_SECURITY_HOLE to the CFLAGS env variable
> and then rebuild the server.
> It is strongly suggested that you instead modify the User
> directive in your httpd.conf file to list a non-root
> user.
> <b>root@ubuntu:~#</b>

Read the error message, you've only done half of what it told you to do -
after adding -DBIG_SECURITY_HOLE to CFLAGS you need to rebuild the server
(as in recompile from source), not just try running it.

But how I do that?

And why are the flag called DBIG_SECURITY_HOLE? Whats security hole
with allowing a apache server run as root?
The error message says that any local user can get read access to any
file on system, but I dont see the security hole in that?
To gain access locally, or by SSH, they need to be behind my firewall,
which means they need to be at a machine at my network, and all my
machines are in same room = they need physical access to machine.

But how I do that?

And why are the flag called DBIG_SECURITY_HOLE? Whats security hole
with allowing a apache server run as root?
The error message says that any local user can get read access to any
file on system, but I dont see the security hole in that?
To gain access locally, or by SSH, they need to be behind my
firewall,
which means they need to be at a machine at my network, and all my
machines are in same room = they need physical access to machine.

I only see a security risk with running as root, IF the server is
placed in
a web hotel solution.
Then people on same server can access each other's files.

But there is more servers alone, than on web hotel solution.