From owner-freebsd-newbies Wed Sep 5 12: 5:38 2001 Delivered-To: freebsd-newbies@freebsd.org Received: from fe010.worldonline.dk (fe010.worldonline.dk [212.54.64.195]) by hub.freebsd.org (Postfix) with SMTP id 167E737B409 for ; Wed, 5 Sep 2001 12:05:34 -0700 (PDT) Received: (qmail 1227 invoked by uid 0); 5 Sep 2001 19:05:30 -0000 Received: from 213.237.13.224.adsl.hc.worldonline.dk (HELO NEIGAARD?MOB) (213.237.13.224) by fe010.worldonline.dk with SMTP; 5 Sep 2001 19:05:30 -0000 Date: Wed, 5 Sep 2001 21:06:46 +0200 From: =?ISO-8859-1?B?U/hyZW4gTmVpZ2FhcmQ=?= X-Mailer: The Bat! (v1.51) Reply-To: =?ISO-8859-1?B?U/hyZW4gTmVpZ2FhcmQ=?= X-Priority: 3 (Normal) Message-ID: <1772950722.20010905210646@e-box.dk> To: freebsd-newbies@FreeBSD.ORG Subject: Re: httpd user for Apache? MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> I have read somewhere that it is a good idea to make you'r >> applications run under specific users, and not under root. How is the >> best way to configure such a user, as an example a user for the Apache >> httpd deamon (i got so far as to name the user httpd). Should it be in >> a specific group, have restricted rights and so on... > httpd.conf [snip]: > 245 # If you wish httpd to run as a different user or group, you must run > 246 # httpd as root initially and it will switch. > 247 # > 248 # User/Group: The name (or #number) of the user/group to run httpd as. > 249 # . On SCO (ODT 3) use "User nouser" and "Group nogroup". > 250 # . On HPUX you may not be able to use shared memory as nobody, and the > 251 # suggested workaround is to create a user www and use that user. > 252 # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) > 253 # when the value of (unsigned)Group is above 60000; > 254 # don't use Group nobody on these systems! > 255 # > 256 User nobody > 257 Group nobody > Tip: search for "SuExec" and CGIwrap somewhere for other, more or less paranoia > security *gg > You can play the same game with user/group in your virtual domains. Im sorry, but I dont quite get this :) Does this also mean that I should install Apache as my new user? How do I run Apache as root, and the swich to my new user? -- Best regards, Søren mailto:neigaard@e-box.dk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message