Back to Security Pattern Catalog
: Exterior Security, Tampering
Any vulnerability that is in a server application is open for manipulation by some malicious user. So the server application should be protected from misuse. However, the diversity of attack types poses a difficulty because the server cannot anticipate it beforehand. How can the server applications be made safe?
Limit the privileges that web components possess at run time. Create a user account only used by server. Limit the privilege so that it has execution privilege only (no administrative privilege). Web applications require limited privilege once they are started. Assign a Unix server application to listen on a privileged port. Start the application on the server with additional privileges, but once the privileges are no longer needed perform a privilege drop.
Apache Web server starts at port 80 with root privileges, but then lowers its privilege and runs as ‘nobody’.
Kienzle et. al. Repository
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz