From owner-freebsd-isp Fri Sep 21 16: 3:35 2001 Delivered-To: freebsd-isp@freebsd.org Received: from TheWorld.com (pcls4.std.com [199.172.62.106]) by hub.freebsd.org (Postfix) with ESMTP id DEF9237B41A for ; Fri, 21 Sep 2001 16:03:15 -0700 (PDT) Received: from world.std.com (world-f.std.com [199.172.62.5]) by TheWorld.com (8.9.3/8.9.3) with ESMTP id TAA20457 for ; Fri, 21 Sep 2001 19:03:14 -0400 Received: (from kwc@localhost) by world.std.com (8.9.3/8.9.3) id TAA11994; Fri, 21 Sep 2001 19:03:11 -0400 (EDT) Date: Fri, 21 Sep 2001 19:03:11 -0400 (EDT) From: Kenneth W Cochran Message-Id: <200109212303.TAA11994@world.std.com> To: freebsd-isp@freebsd.org Subject: Apache/webhosting user/group security/config Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello: I'm trying to set up a webhosting server and have some questions about "properly secured" Apache configuration. I've been digging through books, security/apache-related websites, and FreeBSD mail & pr archives & so far, cannot find answers to my "situation." Especially, I haven't found clear (to me) explanation/recommendations for owner/group/permissions of Web-*content* directories. Background/current configuration: OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running. Web content is to be in its own filesystem(s), outside of any of the "system" directories (for example, outside of /usr and /var). The default installation of the apache port (1.3.20) operates httpd as user/group "nobody/nogroup" and the default apache+ssl port configuration runs httpd as user/group "nobody/nobody." Question: How "sane" is this user/group? For example, very knowlegable people with whom I've spoken and books and other resources I've researched indicate that "nobody" is probably not very good, as it is already "taken" by nfs. I'm considering a send-pr, requesting this for review/change. So, what would be a good alternative? For example, "bind" was added as a user/group sometime back in support of boxing named, so, in keeping with that "tradition/convention," maybe "apache?" www - sounds good, & in common use in Linux, but I was thinking more of "www" as a group (to me, it "fits better" in that namespace :). httpd - good, too, but might confuse reports, distinguishing between the running daemon & its owner. Also, what would be a good UID/GID number? Bind is using 53 for both UID & GID, apparently using that service's port-number. So, maybe 80 for the webserver UID & GID? I need & plan to enable suEXEC & need to make sure that is "sane and proper." :) For examples: What should I use for suEXEC's document-root directory? What should suEXEC's caller-UID be? (default: www) What other suEXEC configuration options should I consider? For example, if I make a UID/GID of 80 for suexec and set its minimum at, say, 1000 (its default is 100 anyway), will that not allow suexec to operate? Here are some (more specific) things with which I'm having misgivings: I'm being asked to create a user & group of "www" and to run httpd as this user & group. Currently, this is nobody/nogroup, and as I mentioned above, this should probably indeed be changed. Additionally, I'm being asked to add "www" to the allowed/invited groups of a hosted user (in /etc/groups). I'm told (& I agree) that this should be unnecessary. I've tried to explain that these are bad ideas/practices but so far, I haven't been able to adequately explain that to the requesting parties. Can someone help me with a "good explanation" of why these are Bad Ideas (if indeed, they are bad, of course)? Citable sources would be Most Appreciated, too. :) I'd also appreciate pointers to other places (ie. mailing-lists) to ask if this is not "best/appropriate." :) For exampke, would -security be a good place to ask? Please cc me replies. Many thanks, -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message