If an attacker finds an exploit to take control of httpd, they're still blocked in part by the fact that httpd runs as the unprivileged apache user and hence can't write any root-owned files on the system, unless the attacker also knows of a second attack that lets apache escalate its privilege. Basically correct? What about sshd -- assuming that the attacker can connect to sshd at all (i.e. not prevented by a firewall), if they find an exploit to let them take control of sshd, would that imply immediate total control of the machine? Because if they can control sshd they can tell sshd, "Allow root login (even if prohibited in sshd.conf) and accept 'foo' as the password", then the attacker can log in as root. Is it possible, even in theory, to provide a second layer of defense behind sshd to prevent the attacker from controlling the machine, if the attacker controls sshd? The "log me in as root" attack would appear to imply that an extra layer is not possible. (Note I'm not talking about extra layers of security *in front* of sshd, like a firewall that only permits logins from known locations. I'm also not talking about detection after the fact -- obviously you can detect unexpected root logins from the /var/log/secure* files if the attacker doesn't erase them -- only whether you could use extra layers to *prevent* the attacker from owning the machine if they take control of sshd.)