This is
very bad advice. Two rules of good security:
- No files should be owned by nobody. This UID is used by many daemons. If they are compromised then those files can overwriten which can help attacker to gain more access to the system.
- root as owner of cgi script is fine (or any other UID != UID under which Apache runs). This ensures that if either Apache or cgi script is compromised cgi script itself cannot be modified by attacker. The only problem with
root as owner of cgi script is that it forces to use root account to update those files. It is better to use another account for this task.
--
Ilya Martynov
(http://martynov.org/)