Experienced administrators have no doubt heard the following caution more than once, but it bears repeating: Never, never, never run the Web server daemon as root. Yes, you must start the Apache daemon as root, but after the initialization process, the daemon maintains one "controller" thread owned by root, and then forks a number of subthreads (determined by the StartServers directive) owned by the User and Group directives set in the httpd.conf file. These subthreads simply serve requested pages, and have nothing to do with "command and control" decisions the root daemon responsible for the initial Apache process makes. Running the Apache daemon as root opens your system to a whole world of potential chaos; root authority is something you need to carefully guard and mete out only to individuals who fully understand the power of superuser access.

If you are responsible for the administration of a Web server connected (directly or indirectly) to the Internet, please ensure the server has separate user/group accounts in place and that the Web server is configured to run under these accounts.