From owner-freebsd-stable  Tue Sep 18 16:22:21 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from TheWorld.com (pcls4.std.com [199.172.62.106])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2979137B40B; Tue, 18 Sep 2001 16:22:15 -0700 (PDT)
Received: from world.std.com (world-f.std.com [199.172.62.5])
	by TheWorld.com (8.9.3/8.9.3) with ESMTP id TAA13820;
	Tue, 18 Sep 2001 19:22:14 -0400
Received: (from kwc@localhost)
	by world.std.com (8.9.3/8.9.3) id TAA24517;
	Tue, 18 Sep 2001 19:22:12 -0400 (EDT)
Date: Tue, 18 Sep 2001 19:22:12 -0400 (EDT)
From: Kenneth W Cochran <kwc@world.std.com>
Message-Id: <200109182322.TAA24517@world.std.com>
To: freebsd-stable@freebsd.org, freebsd-questions@freebsd.org
Subject: Apache/webhosting user/group security/config
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hello:

I'm trying to set up a webhosting server and have some questions
about "properly secured" Apache configuration.  I've been digging
through books, security/apache-related websites, and FreeBSD mail
archives & so far, cannot find answers to my "situation."

Background/current configuration:

OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running.

Web content is to be in its own filesystem, outside of any of the
"system" directories (for example, outside of /usr and /var).

The default installation of the apache port (1.3.20) operates
httpd as user/group "nobody/nogroup" and the default apache+ssl
port configuration runs httpd as user/group "nobody/nobody."
(Question:  How "sane" are these?")

I need & plan to enable suEXEC & need to make sure that is
properly done.  (For examples, what should I use for suEXEC's
document-root directory?  And what other suEXEC configuration
options should I consider?)

Here are some things with which I'm having misgivings:

I'm being asked to create a user & group of "www" and to run
httpd as this user & group.

Additionally, I'm being asked to add "www" to the allowed/invited
groups of a hosted user (in /etc/groups).

I've tried to explain that these are *very* bad ideas/practices
but so far, I haven't been able to adequately explain that to
the requesting parties.

Can someone help me with a "good explanation" of why these
are Bad Ideas (if indeed, they are bad, of course)?  Citable
sources would be Most Appreciated, too.  :)

I'd also appreciate pointers to other places (ie. mailing-lists)
to ask if this is not "best/appropriate." :)

Many thanks,

-kc

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message