From owner-freebsd-questions Tue Sep 4 17:22:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id B994337B406 for ; Tue, 4 Sep 2001 17:22:38 -0700 (PDT) Received: from ae04038.powerup.com.au (HELO warhawk) (203.147.163.38) by smtp.mail.vip.sc5.yahoo.com with SMTP; 5 Sep 2001 00:22:36 -0000 X-Apparently-From: From: "Haikal Saadh" To: Cc: "Freebsd-Newbies@Freebsd. Org" Subject: FW: httpd user for Apache? Date: Wed, 5 Sep 2001 10:27:10 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG blast, made a type in the address. fwding to questions. -----Original Message----- From: owner-freebsd-newbies@FreeBSD.ORG [mailto:owner-freebsd-newbies@FreeBSD.ORG]On Behalf Of Haikal Saadh Sent: Wednesday, 5 September 2001 10:21 AM To: Boris Köster; Søren Neigaard; freebsd-newbies@FreeBSD.ORG Cc: qustions@freebsd.org Subject: RE: httpd user for Apache? [CC'ed to questions] > -----Original Message----- > From: owner-freebsd-newbies@FreeBSD.ORG > [mailto:owner-freebsd-newbies@FreeBSD.ORG]On Behalf Of Boris Köster > Sent: Wednesday, 5 September 2001 7:53 AM > To: Søren Neigaard; freebsd-newbies@FreeBSD.ORG > Subject: Re: httpd user for Apache? > > > On 4 Sep 2001 at 20:53, Søren Neigaard wrote: > > > I have read somewhere that it is a good idea to make you'r > > applications run under specific users, and not under root. How is the > > best way to configure such a user, as an example a user for the Apache > > httpd deamon (i got so far as to name the user httpd). Should it be in > > a specific group, have restricted rights and so on... > > httpd.conf [snip]: > > 245 # If you wish httpd to run as a different user or group, > you must run > 246 # httpd as root initially and it will switch. > 247 # > 248 # User/Group: The name (or #number) of the user/group to > run httpd as. > 249 # . On SCO (ODT 3) use "User nouser" and "Group nogroup". > 250 # . On HPUX you may not be able to use shared memory as > nobody, and the > 251 # suggested workaround is to create a user www and use > that user. > 252 # NOTE that some kernels refuse to setgid(Group) or > semctl(IPC_SET) > 253 # when the value of (unsigned)Group is above 60000; > 254 # don't use Group nobody on these systems! > 255 # > 256 User nobody > 257 Group nobody > > > Tip: search for "SuExec" and CGIwrap somewhere for other, more or > less paranoia > security *gg > > > You can play the same game with user/group in your virtual domains. One of the reason for running apache as a separate user/group (such as www/www, as I do) would be that certain CGI scripts expect to be read by the webserver, and not anyone else, and there are quite a few processes that run as nobody by default. Am i right on this? _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message