Date: 08 Feb 2001 11:38:45 -0800 From: asami@FreeBSD.org (Satoshi - Ports Wraith - Asami) To: Kris Kennaway <kris@obsecurity.org> Cc: ports@FreeBSD.org Subject: Re: Needed: apache/httpd ports to use 'www' user Message-ID: <yfkvgql0xtm.fsf@vader.clickarray.com> In-Reply-To: <20010207014012.B22502@mollari.cthul.hu> (Kris Kennaway's message of "Wed, 07 Feb 2001 01:40:12 -0800") References: <20010207014012.B22502@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
* From: Kris Kennaway <kris@obsecurity.org> * Subject says it all - we need to update the various webserver ports * (and any others) to not use the 'nobody' user, but to use a 'www' user * (which should be added to the base system, IMO). The 'nobody' user * should NOT confer any privileges on people who hold it - the fact that * e.g. apache runs as the nobody user is certainly a privilege, as it * will let attackers compromise the website if they gain access to the * nobody user by breaking some other utility. I've been looking at squid and was thinking the same thing. I change uid/gid to "www" locally, but that should be done by the port. nbm's suggestion that we have one for each class (webserver, proxy, zope?) is probably a good idea though. Satoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yfkvgql0xtm.fsf>