From owner-freebsd-questions Mon Jul 5 15:30:40 1999 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id E9D9615206 for ; Mon, 5 Jul 1999 15:30:37 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id SAA13699; Mon, 5 Jul 1999 18:31:30 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199907052231.SAA13699@cc942873-a.ewndsr1.nj.home.com> Subject: Re: Use of user nobody In-Reply-To: <4.2.0.58.19990704224033.009a86f0@toy> from Ludwig Pummer at "Jul 4, 99 10:46:32 pm" To: ludwigp@bigfoot.com (Ludwig Pummer) Date: Mon, 5 Jul 1999 18:31:30 -0400 (EDT) Cc: junkmale@xtra.co.nz, questions@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ludwig Pummer wrote, > At 09:32 AM 7/5/1999 +1200, Dan Langille wrote: > >Given the above, I recall reading somewhere that it's better to create a > >separate user for apache (such as http). Any logic behind that reasoning? > > Well, on my system, I created an apache user so that I could have > apache-related files like web password or config files that Apache should > read but that other users couldn't. You can do that with 'nobody' as well. But as someone else pointed out, there _is_ potential hole there if one another program running under nobody accesses them. Confining the webserver to a specific user allows easier process accounting and security auditing. I also like to take advantage of group permissions (group www) to allow certain users the ability to edit and add pages. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message