From owner-freebsd-ports  Thu Oct 18  5:13: 5 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from sapas.dppl.net (sapas.dppl.com [216.182.10.231])
	by hub.freebsd.org (Postfix) with ESMTP id 84AD537B403
	for <ports@FreeBSD.org>; Thu, 18 Oct 2001 05:13:02 -0700 (PDT)
Received: from volyn.dppl.net (cc375212-a.union1.nj.home.com [24.253.222.7])
	by sapas.dppl.net (Postfix) with ESMTP
	id 51E043E0C; Thu, 18 Oct 2001 08:12:50 -0400 (EDT)
Date: Thu, 18 Oct 2001 08:12:49 -0400
From: Yarema <yds@dppl.com>
To: ports@FreeBSD.org
Cc: Sheldon Hearn <sheldonh@starjuice.net>,
	"Andrey A. Chernov" <ache@nagual.pp.ru>
Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www
 planned
Message-ID: <864670000.1003407169@volyn.dppl.net>
In-Reply-To: <28552.1003405786@axl.seasidesoftware.co.za>
References:  <28552.1003405786@axl.seasidesoftware.co.za>
X-Mailer: Mulberry/2.1.0 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports>
X-Loop: FreeBSD.org

--On Thursday, October 18, 2001 13:49:46 +0200 Sheldon Hearn 
<sheldonh@starjuice.net> wrote:

>
>
> On Thu, 18 Oct 2001 15:43:06 +0400, "Andrey A. Chernov" wrote:
>
>> > Apache is not abusing nobody:nogroup -- users who don't configure
>> > their CGI  environment are.   The Right Thing is to run CGIs via
>> > suexec.
>>
>> No, Apache abuses nobody just running under it. It gains to it access
>> priveledges it must not have.
>
> Now you've TOTALLY lost me.  You're saying processes shouldn't be run as
> nobody? :-)

OK, I'm kinda lost here too.  I understand that nobody:nogroup should not 
own any files.  I do not understand that 'Apache abuses nobody just running 
under it' by gaining 'access to priveledges it must not have.'  What 
exactly are these priveledges 'it must not have?'  privileges to write 
files?  What is the proper use for nobody:nogroup?

>> > suexec works better if apache does run as nobody:nogroup.
>>
>> No. suexec works equally for any user/group.
>
> Exactly. :-)
>
> Ciao,
> Sheldon.

That may be true about suexec.  But why is nobody:nogroup any less or more 
equal than any other group for this purpose?  I always thought it an 
advantage to run apache+suexec as the least privileged user:group which 
never ownes any files.

I'm not trying to be difficult -- I'm just looking to learn something new. 
Or in this case probably something very old. :)

-- 
Yarema

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message