From owner-freebsd-ports Thu Feb 8 11:36:41 2001 Delivered-To: freebsd-ports@freebsd.org Received: from mail.clickarray.com (unknown [216.132.92.2]) by hub.freebsd.org (Postfix) with ESMTP id 2ABF037B69F for ; Thu, 8 Feb 2001 11:36:22 -0800 (PST) Received: from vader.clickarray.com (nattedaddress.clickarray.com [10.2.1.199]) by mail.clickarray.com (Postfix) with ESMTP id B98B15EF03; Thu, 8 Feb 2001 11:39:32 -0800 (PST) Received: (from asami@localhost) by vader.clickarray.com (8.11.0/8.11.0) id f18Jcln51936; Thu, 8 Feb 2001 11:38:47 -0800 (PST) (envelope-from asami@cs.berkeley.edu) X-Authentication-Warning: vader.clickarray.com: asami set sender to asami@cs.berkeley.edu using -f To: Kris Kennaway Cc: ports@FreeBSD.org Subject: Re: Needed: apache/httpd ports to use 'www' user References: <20010207014012.B22502@mollari.cthul.hu> From: asami@FreeBSD.org (Satoshi - Ports Wraith - Asami) MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu") Content-Type: text/plain; charset=US-ASCII Date: 08 Feb 2001 11:38:45 -0800 In-Reply-To: <20010207014012.B22502@mollari.cthul.hu> (Kris Kennaway's message of "Wed, 07 Feb 2001 01:40:12 -0800") Message-ID: Lines: 17 User-Agent: T-gnus/6.14.5 (based on Gnus v5.8.7) (revision 06) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.7 (i386--freebsd) MULE/4.0 =?ISO-2022-JP?B?KBskQjJWMWMbKEIp?= Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * From: Kris Kennaway * Subject says it all - we need to update the various webserver ports * (and any others) to not use the 'nobody' user, but to use a 'www' user * (which should be added to the base system, IMO). The 'nobody' user * should NOT confer any privileges on people who hold it - the fact that * e.g. apache runs as the nobody user is certainly a privilege, as it * will let attackers compromise the website if they gain access to the * nobody user by breaking some other utility. I've been looking at squid and was thinking the same thing. I change uid/gid to "www" locally, but that should be done by the port. nbm's suggestion that we have one for each class (webserver, proxy, zope?) is probably a good idea though. Satoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message