Date: Thu, 20 Sep 2001 11:06:10 -0400 (EDT) From: Kenneth W Cochran <kwc@world.std.com> To: danny@alphazed.com Cc: freebsd-questions@freebsd.org Subject: Re: Apache/webhosting user/group security/config Message-ID: <200109201506.LAA28764@world.std.com> References: <200109182322.TAA24517@world.std.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Wed, 19 Sep 2001 10:26:01 +0100 >From: daniel lawrence <danny@alphazed.com> >To: Kenneth W Cochran <kwc@world.std.com> >Cc: freebsd-questions@freebsd.org >Subject: Re: Apache/webhosting user/group security/config > >On Tue, Sep 18, 2001 at 07:22:12PM -0400, Kenneth W Cochran wrote: >> I'm trying to set up a webhosting server and have some questions >> about "properly secured" Apache configuration. I've been digging >> through books, security/apache-related websites, and FreeBSD mail >> archives & so far, cannot find answers to my "situation." >> >> Background/current configuration: >> >> OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running. >> >> Web content is to be in its own filesystem, outside of any of the >> "system" directories (for example, outside of /usr and /var). >> >> The default installation of the apache port (1.3.20) operates >> httpd as user/group "nobody/nogroup" and the default apache+ssl >> port configuration runs httpd as user/group "nobody/nobody." >> (Question: How "sane" are these?") > >The intent of the usual nobody/nobody configuration for any daemon is to >ensure the process runs with as few privileges as possible. The thinking is >that if the process does not run as any system user or as any normal user, >it can do minimal damage if it goes wrong. > >This breaks down, however, when you start having additional unrelated >daemons also running as nobody. At this point you introduce the possibility >that they may trample over one another. For example, if one process creates >a file, it is owned by 'nobody'. The other daemon then has full permission to >modify this file. > >There are other issues related to resource limits which get muddied when more >than one unrelated application runs under the same identity. I'm wondering if the Apache ports' (yes, plural, b/c apache+ssl does same) use of nobody/nogroup is some kind of oversight & that FreeBSD needs a unique user/group for this. I'm thinking of a send-pr, but I don't want to duplicate anything. >> I need & plan to enable suEXEC & need to make sure that is >> properly done. (For examples, what should I use for suEXEC's >> document-root directory? And what other suEXEC configuration >> options should I consider?) > >http://httpd.apache.org/docs/suexec.html Correct, but I still haven't yet found clear explanations/recommendations for Web *content* directory structure/permissions. (?) >> Here are some things with which I'm having misgivings: >> >> I'm being asked to create a user & group of "www" and to run >> httpd as this user & group. > >It would be a good idea to create a user and group for the sole purpose of >providing an identity for the running web server. But configuration files do >not need to be owned or writable by this user. > >> Additionally, I'm being asked to add "www" to the allowed/invited >> groups of a hosted user (in /etc/groups). > >It would be best not to add users to your web server group. Instead, configure >the web document directory permissions such that the web server itself may only >read files. This can be achieved by making the document directory owned by >the hosted user, in the web server group, and with 750 permissions. (Users >should be in their own groups, btw) > >In addition to limiting the web server's activity, it keeps other users from >seeing the contents of these document directories directly. > >If you run the suEXEC wrapper, the cgi-bin directory should be in the user's >group rather than the web server group. > >chflags(1) may be used to prevent the user from messing up your carefully >constructed directory permissions. Nice ideas, thanks! >> I've tried to explain that these are *very* bad ideas/practices >> but so far, I haven't been able to adequately explain that to >> the requesting parties. >> >> Can someone help me with a "good explanation" of why these >> are Bad Ideas (if indeed, they are bad, of course)? Citable >> sources would be Most Appreciated, too. :) >> >> I'd also appreciate pointers to other places (ie. mailing-lists) >> to ask if this is not "best/appropriate." :) >> >> Many thanks, >> >> -kc > >-- >daniel lawrence >AlphaZed Ltd Again, many thanks, -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109201506.LAA28764>