From owner-freebsd-ports Wed Feb 7 1:47:31 2001 Delivered-To: freebsd-ports@freebsd.org Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by hub.freebsd.org (Postfix) with ESMTP id B58CF37B65D for ; Wed, 7 Feb 2001 01:47:14 -0800 (PST) Received: from xor.obsecurity.org ([64.165.226.103]) by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with ESMTP id <0G8D000AMS2HPA@mta6.snfc21.pbi.net> for ports@FreeBSD.org; Wed, 7 Feb 2001 01:37:30 -0800 (PST) Received: by xor.obsecurity.org (Postfix, from userid 1000) id 85E5A66B62; Wed, 07 Feb 2001 01:40:12 -0800 (PST) Date: Wed, 07 Feb 2001 01:40:12 -0800 From: Kris Kennaway Subject: Needed: apache/httpd ports to use 'www' user To: ports@FreeBSD.org Message-id: <20010207014012.B22502@mollari.cthul.hu> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject says it all - we need to update the various webserver ports (and any others) to not use the 'nobody' user, but to use a 'www' user (which should be added to the base system, IMO). The 'nobody' user should NOT confer any privileges on people who hold it - the fact that e.g. apache runs as the nobody user is certainly a privilege, as it will let attackers compromise the website if they gain access to the nobody user by breaking some other utility. I've had discussions with Ade about this before, but don't know the current status of the changes. Kris --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6gRf8Wry0BWjoQKURAhUJAJ4skurKM9LgJOo6/85E6haaa3DsaQCcCgRp vU02/1IVT/MtBnosLO4DKaU= =NoEd -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message