[Karellen]

> as when people used to run LAMP as root…

When was that, exactly?

I just grabbed by copy of CGI Programming on the World Wide Web by Gundavaram from 1996, and on page 368 it says:

> Most servers are set up to run with the user identification (UID) of "nobody," which means that your scripts have to be world executable. The reason for this is that "nobody" has minimal privileges.

Sure, there would always have been a few idiots who ran everything as root, but my recollection, backed up by the well-respected O'Reilly & Associates here, is that running internet-facing services with restricted privileges was the majority position for at least as long as web servers have had version numbers of 1.0+.

[aftbit]

I think this might be a newer problem than 1996 actually. I have seen an awful lot of "modern" (2010s at least) devops which runs everything as root because the developer could not be bothered to understand the unix permissions model. I would guess that focus on security is something that waxes and wanes, rather than something that monotonically becomes more important in the culture.

[Nextgrid]

To be fair, if the only thing that the server runs is the application then root or the application’s normal user doesn’t really matter much.

[LammyL]

It should because if you can exploit the root user, it is much easier to use that machine as a lunching point for a secondary attack. Further, root will let you cover your tracks much more easily than an unprivileged user.

[tlackemann]

Just because you read it in an old book doesn't mean people practice it. Any real world experience outside a Fortune 500 will inform you that.

[bink]

It takes real effort to run most of the LAMP stack as root. If you don't understand Unix permissions it's not easy. Apache, mysql, (and therefore php) all run by default as a low-privileged user. I have plenty of real world experience and haven't seen apache or mysql run as root outside of embedded devices, and even that was maybe a handful of times.

[ufo]

Another way to say it is that if a book says to not do something, it must be because there are people out there doing the opposite...

[Karellen]

But the book isn't saying "You should try to make sure your web server runs as nobody". It's saying "when you're deploying your CGI programs, take into account the fact that the web server you're deploying to likely runs as nobody".