From owner-freebsd-newbies Tue Sep 4 17:16:12 2001 Delivered-To: freebsd-newbies@freebsd.org Received: from smtp010.mail.yahoo.com (smtp010.mail.yahoo.com [216.136.173.30]) by hub.freebsd.org (Postfix) with SMTP id 8948137B407 for ; Tue, 4 Sep 2001 17:16:07 -0700 (PDT) Received: from ae04038.powerup.com.au (HELO warhawk) (203.147.163.38) by smtp.mail.vip.sc5.yahoo.com with SMTP; 5 Sep 2001 00:16:06 -0000 X-Apparently-From: From: "Haikal Saadh" To: =?iso-8859-1?Q?Boris_K=F6ster_?= , =?iso-8859-1?Q?S=F8ren_Neigaard?= , Cc: Subject: RE: httpd user for Apache? Date: Wed, 5 Sep 2001 10:20:40 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <3B956978.2775.279CA6EC@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [CC'ed to questions] > -----Original Message----- > From: owner-freebsd-newbies@FreeBSD.ORG > [mailto:owner-freebsd-newbies@FreeBSD.ORG]On Behalf Of Boris Köster > Sent: Wednesday, 5 September 2001 7:53 AM > To: Søren Neigaard; freebsd-newbies@FreeBSD.ORG > Subject: Re: httpd user for Apache? > > > On 4 Sep 2001 at 20:53, Søren Neigaard wrote: > > > I have read somewhere that it is a good idea to make you'r > > applications run under specific users, and not under root. How is the > > best way to configure such a user, as an example a user for the Apache > > httpd deamon (i got so far as to name the user httpd). Should it be in > > a specific group, have restricted rights and so on... > > httpd.conf [snip]: > > 245 # If you wish httpd to run as a different user or group, > you must run > 246 # httpd as root initially and it will switch. > 247 # > 248 # User/Group: The name (or #number) of the user/group to > run httpd as. > 249 # . On SCO (ODT 3) use "User nouser" and "Group nogroup". > 250 # . On HPUX you may not be able to use shared memory as > nobody, and the > 251 # suggested workaround is to create a user www and use > that user. > 252 # NOTE that some kernels refuse to setgid(Group) or > semctl(IPC_SET) > 253 # when the value of (unsigned)Group is above 60000; > 254 # don't use Group nobody on these systems! > 255 # > 256 User nobody > 257 Group nobody > > > Tip: search for "SuExec" and CGIwrap somewhere for other, more or > less paranoia > security *gg > > > You can play the same game with user/group in your virtual domains. One of the reason for running apache as a separate user/group (such as www/www, as I do) would be that certain CGI scripts expect to be read by the webserver, and not anyone else, and there are quite a few processes that run as nobody by default. Am i right on this? _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message