From owner-freebsd-newbies  Tue Sep  4 14:54:12 2001
Delivered-To: freebsd-newbies@freebsd.org
Received: from post.webmailer.de (natpost.webmailer.de [192.67.198.65])
	by hub.freebsd.org (Postfix) with ESMTP id BA3F437B409
	for <freebsd-newbies@FreeBSD.ORG>; Tue,  4 Sep 2001 14:53:54 -0700 (PDT)
Received: from localhost (pD904954A.dip.t-dialin.net [217.4.149.74])
	by post.webmailer.de (8.9.3/8.8.7) with SMTP id XAA22297
	for <freebsd-newbies@FreeBSD.ORG>; Tue, 4 Sep 2001 23:53:49 +0200 (MET DST)
Received: (qmail 3052 invoked from network); 4 Sep 2001 23:52:18 -0000
Received: from unknown (HELO compi) (192.168.0.1)
  by 192.168.0.99 with SMTP; 4 Sep 2001 23:52:18 -0000
From: "=?ISO-8859-1?Q?Boris_K=F6ster_?=" <koester@x-itec.de>
Organization: X-ITEC IT-Consulting http://www.x-itec.de
To: Søren Neigaard <neigaard@e-box.dk>, freebsd-newbies@FreeBSD.ORG
Date: Tue, 4 Sep 2001 23:53:28 +0200
MIME-Version: 1.0
Subject: Re: httpd user for Apache?
Message-ID: <3B956978.2775.279CA6EC@localhost>
In-reply-to: <13211784995.20010904205308@e-box.dk>
X-mailer: Pegasus Mail for Win32 (v4.0, beta 40)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: Quoted-printable
Content-description: Mail message body
Sender: owner-freebsd-newbies@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-newbies.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-newbies>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-newbies>
X-Loop: FreeBSD.org

On 4 Sep 2001 at 20:53, S=F8ren Neigaard wrote:

> I have read somewhere that it is a good idea to make you'r
> applications run under specific users, and not under root. How is the
> best way to configure such a user, as an example a user for the Apache
> httpd deamon (i got so far as to name the user httpd). Should it be in
> a specific group, have restricted rights and so on...

httpd.conf [snip]:

  245 # If you wish httpd to run as a different user or group, you must ru=
n
    246 # httpd as root initially and it will switch.
    247 #
    248 # User/Group: The name (or #number) of the user/group to run httpd=
 as.
    249 #  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
    250 #  . On HPUX you may not be able to use shared memory as nobody, a=
nd the
    251 #    suggested workaround is to create a user www and use that use=
r.
    252 #  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SE=
T)
    253 #  when the value of (unsigned)Group is above 60000;
    254 #  don't use Group nobody on these systems!
    255 #
    256 User nobody
    257 Group nobody


Tip: search for "SuExec" and CGIwrap somewhere for other, more or less par=
anoia 
security *gg


You can play the same game with user/group in your virtual domains.



--
Boris K=F6ster [MCSE|CNA]
[C / C++ / PHP / FreeBSD / Security / Consulting] .:=3D FREELANCER =3D:.
Maintainer of IPSEC Mini-HowTo | QSP | and more.
HTTP://www.x-itec.de * koester@x-itec.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message