From owner-freebsd-ports  Thu Feb  8 11:36:41 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from mail.clickarray.com (unknown [216.132.92.2])
	by hub.freebsd.org (Postfix) with ESMTP id 2ABF037B69F
	for <ports@FreeBSD.org>; Thu,  8 Feb 2001 11:36:22 -0800 (PST)
Received: from vader.clickarray.com (nattedaddress.clickarray.com [10.2.1.199])
	by mail.clickarray.com (Postfix) with ESMTP
	id B98B15EF03; Thu,  8 Feb 2001 11:39:32 -0800 (PST)
Received: (from asami@localhost)
	by vader.clickarray.com (8.11.0/8.11.0) id f18Jcln51936;
	Thu, 8 Feb 2001 11:38:47 -0800 (PST)
	(envelope-from asami@cs.berkeley.edu)
X-Authentication-Warning: vader.clickarray.com: asami set sender to asami@cs.berkeley.edu using -f
To: Kris Kennaway <kris@obsecurity.org>
Cc: ports@FreeBSD.org
Subject: Re: Needed: apache/httpd ports to use 'www' user
References: <20010207014012.B22502@mollari.cthul.hu>
From: asami@FreeBSD.org (Satoshi - Ports Wraith - Asami)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=US-ASCII
Date: 08 Feb 2001 11:38:45 -0800
In-Reply-To: <20010207014012.B22502@mollari.cthul.hu>
 (Kris Kennaway's message of "Wed, 07 Feb 2001 01:40:12 -0800")
Message-ID: <yfkvgql0xtm.fsf@vader.clickarray.com>
Lines: 17
User-Agent: T-gnus/6.14.5 (based on Gnus v5.8.7) (revision 06) SEMI/1.13.7
 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.7 (i386--freebsd) MULE/4.0
 =?ISO-2022-JP?B?KBskQjJWMWMbKEIp?=
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

 * From: Kris Kennaway <kris@obsecurity.org>

 * Subject says it all - we need to update the various webserver ports
 * (and any others) to not use the 'nobody' user, but to use a 'www' user
 * (which should be added to the base system, IMO).  The 'nobody' user
 * should NOT confer any privileges on people who hold it - the fact that
 * e.g. apache runs as the nobody user is certainly a privilege, as it
 * will let attackers compromise the website if they gain access to the
 * nobody user by breaking some other utility.

I've been looking at squid and was thinking the same thing.  I change
uid/gid to "www" locally, but that should be done by the port.

nbm's suggestion that we have one for each class (webserver, proxy,
zope?) is probably a good idea though.

Satoshi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message