Web security planning - web server executables

Web servers should not be run as root. This ensures that if someone compromises any software associated with the deployment through a bug, they don't have root privileges to damage the server.

Web servers allow you to access files on their host machines and as root any of those files can be modified for a deeper attack or deleted to make your web servers unavailable.

It is acceptable, although not recommended, to start the web server as root. A proxy server can be used to accept HTTP traffic and redirect it to a port above 1024 on a UNIX system. If a proxy is not available and the web server must be started on port 80 it is necessary to start the web server as root. The web server then calls setuid to transfer root privileges to a generic unprivileged account. The web server's configuration file should allow you to specify what user it runs as. Any user may own the binary. The setuid bit should not be set on the web server binary.