From owner-freebsd-security Tue Dec 10 11:37: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29BB137B401 for ; Tue, 10 Dec 2002 11:37:05 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF49143E4A for ; Tue, 10 Dec 2002 11:37:04 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.6/8.12.6) with ESMTP id gBAJaxrK049332 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 10 Dec 2002 11:36:59 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.6/8.12.6/Submit) id gBAJaxP1049331; Tue, 10 Dec 2002 11:36:59 -0800 (PST) (envelope-from emechler) Date: Tue, 10 Dec 2002 11:36:59 -0800 From: Erick Mechler To: Duckbreath Cc: freebsd-security@FreeBSD.ORG Subject: Re: Privsep Message-ID: <20021210193659.GI458@techometer.net> References: <20021210192837.88790.qmail@web41302.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021210192837.88790.qmail@web41302.mail.yahoo.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: So how do I get sshd to run off the sshd user? :: Would apache be cooperative with the www user as well, :: or is that more tricky? Privsep is just an sshd thing right now. If you do a system upgrade via source, the new user should get setup, and the appropriate chroot environment will as well (/var/empty). To enable sshd privsep, set UsePrivilegeSeparation yes in /etc/ssh/sshd_config. As for running Apache as the www user, set User www Group www in your httpd.conf file. Make sure that the user and group you choose can read all the files in your DocumentRoot, too. The parent process will continue to run as root (binding to privileged ports and all), but the children will run as www). Hope this helps... Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message