From owner-freebsd-questions Sun Jul 4 22:47: 7 1999 Delivered-To: freebsd-questions@freebsd.org Received: from ucsu.Colorado.EDU (ucsu.Colorado.EDU [128.138.129.83]) by hub.freebsd.org (Postfix) with ESMTP id 7C56314D20 for ; Sun, 4 Jul 1999 22:47:04 -0700 (PDT) (envelope-from doranj@ucsu.Colorado.EDU) Received: (from doranj@localhost) by ucsu.Colorado.EDU (8.9.3/8.9.3/ITS-5.0/standard) id XAA06548; Sun, 4 Jul 1999 23:46:59 -0600 (MDT) From: Jonathon Doran Message-Id: <199907050546.XAA06548@ucsu.Colorado.EDU> Subject: Re: Use of user nobody To: junkmale@xtra.co.nz Date: Sun, 4 Jul 1999 23:46:59 -0600 (MDT) Cc: doranj@Colorado.EDU, questions@FreeBSD.ORG In-Reply-To: <19990704213504.GDNY112692.mta2-rme@wocker> from "Dan Langille" at Jul 5, 99 09:32:15 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > This user has no privilages, can't login, has an invalid password, and > > doesn't belong to any group. This limits the ability to exploit bugs in > > programs running as "nobody". There is otherwise, nothing special about > > nobody. > > Given the above, I recall reading somewhere that it's better to create a > separate user for apache (such as http). Any logic behind that reasoning? Yes. If you have multiple programs (say Apache and wu_ftp) and you were to run them under the same UID, it might be possible to use one to mess with the other. This would be easier, since they would share ownership of some files. However, if each had their own UID, they wouldn't be able to get out of their sandbox. Jon Doran To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message