Date: Wed, 5 Sep 2001 10:20:40 +1000 From: "Haikal Saadh" <wyldephyre2@yahoo.com> To: =?iso-8859-1?Q?Boris_K=F6ster_?= <koester@x-itec.de>, =?iso-8859-1?Q?S=F8ren_Neigaard?= <neigaard@e-box.dk>, <freebsd-newbies@FreeBSD.ORG> Cc: <qustions@freebsd.org> Subject: RE: httpd user for Apache? Message-ID: <PAELLGOEIMDLEJNEBOBOIEDACHAA.wyldephyre2@yahoo.com> In-Reply-To: <3B956978.2775.279CA6EC@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
[CC'ed to questions] > -----Original Message----- > From: owner-freebsd-newbies@FreeBSD.ORG > [mailto:owner-freebsd-newbies@FreeBSD.ORG]On Behalf Of Boris Köster > Sent: Wednesday, 5 September 2001 7:53 AM > To: Søren Neigaard; freebsd-newbies@FreeBSD.ORG > Subject: Re: httpd user for Apache? > > > On 4 Sep 2001 at 20:53, Søren Neigaard wrote: > > > I have read somewhere that it is a good idea to make you'r > > applications run under specific users, and not under root. How is the > > best way to configure such a user, as an example a user for the Apache > > httpd deamon (i got so far as to name the user httpd). Should it be in > > a specific group, have restricted rights and so on... > > httpd.conf [snip]: > > 245 # If you wish httpd to run as a different user or group, > you must run > 246 # httpd as root initially and it will switch. > 247 # > 248 # User/Group: The name (or #number) of the user/group to > run httpd as. > 249 # . On SCO (ODT 3) use "User nouser" and "Group nogroup". > 250 # . On HPUX you may not be able to use shared memory as > nobody, and the > 251 # suggested workaround is to create a user www and use > that user. > 252 # NOTE that some kernels refuse to setgid(Group) or > semctl(IPC_SET) > 253 # when the value of (unsigned)Group is above 60000; > 254 # don't use Group nobody on these systems! > 255 # > 256 User nobody > 257 Group nobody > > > Tip: search for "SuExec" and CGIwrap somewhere for other, more or > less paranoia > security *gg > > > You can play the same game with user/group in your virtual domains. One of the reason for running apache as a separate user/group (such as www/www, as I do) would be that certain CGI scripts expect to be read by the webserver, and not anyone else, and there are quite a few processes that run as nobody by default. Am i right on this? _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PAELLGOEIMDLEJNEBOBOIEDACHAA.wyldephyre2>