Date: Wed, 07 Feb 2001 07:39:14 -0600 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Neil Blakey-Milner <nbm@mithrandr.moria.org>, Kris Kennaway <kris@obsecurity.org> Cc: ports@FreeBSD.ORG Subject: Re: Needed: apache/httpd ports to use 'www' user Message-ID: <4.3.2.20010207072120.00b21730@207.227.119.2> In-Reply-To: <20010207115736.A37769@rapier.smartspace.co.za> References: <20010207014012.B22502@mollari.cthul.hu> <20010207014012.B22502@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:57 AM 2/7/01 +0200, Neil Blakey-Milner wrote: >On Wed 2001-02-07 (01:40), Kris Kennaway wrote: > > Subject says it all - we need to update the various webserver ports > > (and any others) to not use the 'nobody' user, but to use a 'www' user > > (which should be added to the base system, IMO). The 'nobody' user > > should NOT confer any privileges on people who hold it - the fact that > > e.g. apache runs as the nobody user is certainly a privilege, as it > > will let attackers compromise the website if they gain access to the > > nobody user by breaking some other utility. > > > > I've had discussions with Ade about this before, but don't know the > > current status of the changes. > >I prefer a "httpd" bikeshed - it's less likely to have been used by >others (and I've seen lots of places with a "www" group, and >group-writable web pages). I personally use "apache", but that may be >too specific; but I like specific. Same here. A generic user/group for www (or httpd) could easily be changed to "apache" or just change the user name. There was brief talk of this ages back, but mention of running more than one daemon or clobbering/touching /etc files seemed to kill the idea. Forget the specifics. www:*:80:80::0:0:Apache Web Server:/nonexistent:/sbin/nologin Or "HTTP Daemon" if you prefer that color. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.20010207072120.00b21730>