Date: Wed, 7 Feb 2001 11:57:37 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Kris Kennaway <kris@obsecurity.org> Cc: ports@FreeBSD.org Subject: Re: Needed: apache/httpd ports to use 'www' user Message-ID: <20010207115736.A37769@rapier.smartspace.co.za> In-Reply-To: <20010207014012.B22502@mollari.cthul.hu>; from kris@obsecurity.org on Wed, Feb 07, 2001 at 01:40:12AM -0800 References: <20010207014012.B22502@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed 2001-02-07 (01:40), Kris Kennaway wrote: > Subject says it all - we need to update the various webserver ports > (and any others) to not use the 'nobody' user, but to use a 'www' user > (which should be added to the base system, IMO). The 'nobody' user > should NOT confer any privileges on people who hold it - the fact that > e.g. apache runs as the nobody user is certainly a privilege, as it > will let attackers compromise the website if they gain access to the > nobody user by breaking some other utility. > > I've had discussions with Ade about this before, but don't know the > current status of the changes. I prefer a "httpd" bikeshed - it's less likely to have been used by others (and I've seen lots of places with a "www" group, and group-writable web pages). I personally use "apache", but that may be too specific; but I like specific. I've been working on moving zope to user zope - it's also the way I run it by default. "squid" is another good target. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010207115736.A37769>