Date: Mon, 16 Apr 2001 12:46:38 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: kris@obsecurity.org (Kris Kennaway) Cc: ache@nagual.pp.ru (Andrey A. Chernov), cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/www/mnoGoSearch-current Makefile Message-ID: <200104161946.MAA53542@gndrsh.dnsmgr.net> In-Reply-To: <20010416124342.A11258@xor.obsecurity.org> from Kris Kennaway at "Apr 16, 2001 12:43:42 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, Apr 16, 2001 at 12:39:56PM -0700, Rodney W. Grimes wrote: > > > On Mon, Apr 16, 2001 at 09:06:23AM -0700, Rodney W. Grimes wrote: > > > > > > > Also it seems as if -YOU- are the maintainer of apache, so please can > > > > you go fix it's abuse of nobody:nogroup. (Hint: running as nobody:nogroup > > > > is _NOT_ the bug.) > > > > > > Well, arguably it is, because people persist in making files owned by > > > nobody, and since apache runs as that user a webserver compromise > > > gives access to all those files. If it ran as e.g. user www, then > > > it's explicit which files it owns because that user is unlikely to be > > > used randomly outside a webserver context. > > > > I will agree that the running of of apache as nobody:nogroup is an > > arguable thing. But running it as www:www and having all the files > > _owned_ and _grouped_ www:www only solves the NFS issue, and does > > not address the other problem of having your webserver being able > > to nuked it's own content via all too common cgi bugs. > > Yeah, wwwserver might be better, with a default wwwdata user provided > to make it clear what data files should be owned by. That works for me! -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104161946.MAA53542>