From owner-freebsd-ports Thu Oct 18 0:13:16 2001 Delivered-To: freebsd-ports@freebsd.org Received: from db-cvad-1-tmp.yahoo.com (db-cvad-1-tmp.yahoo.com [216.145.48.242]) by hub.freebsd.org (Postfix) with ESMTP id A3A1E37B403; Thu, 18 Oct 2001 00:13:07 -0700 (PDT) Received: from localhost (doug@localhost) by db-cvad-1-tmp.yahoo.com (8.11.6/8.11.6) with ESMTP id f9I7CsQ22376; Thu, 18 Oct 2001 00:12:55 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Date: Thu, 18 Oct 2001 00:12:54 -0700 (PDT) From: Doug Barton X-X-Sender: doug@db-cvad-1-tmp.yahoo.com To: "Andrey A. Chernov" Cc: ports@FreeBSD.org, Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned In-Reply-To: <20011017155854.A43168@nagual.pp.ru> Message-ID: <20011017234403.W22111-100000@db-cvad-1-tmp.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 17 Oct 2001, Andrey A. Chernov wrote: > Due to Apache mis-use of nobody:nogroup UID/GID (user nobody must not own > any file in the system), I'm a little confused by what you mean here. Is our apache port setting ownership on any files to user nobody? If so, it should be fixed not to do that. The point of user nobody is to have a user that does not own any file on the system (as you describe) but is able to read files that are world readable. Take a look at /etc/periodic/weekly/310.locate for a good example. Can you describe what exactly apache is doing wrong? > I plan switch apache to www:www instead. It > breaks some related ports and they should be fixed by their maintainers. > Moreover, it breaks existen cgi-bin-write setups too, group nogroup should > be changed to www by webmasters. I agree that sa's that need their cgi processes to write files should take appropriate steps to make sure that their apache user/group permissions are safe, but I'm afraid that the step you're taking is going to mask the problem and give people a false sense of security. > Questions are: > > What is the best way to _automatically_ add www:www to > /etc/{passwd,group}? I think about 'pw' command, but it will be nice if > somebody already have working example. /usr/ports/mail/majordomo/scripts/createuser One thing we might consider is making a nice /bin/sh script that takes arguments for adding users/groups and sticking it in ports/Mk so that we can have more standardization and less code bloat. > I plan to add www:www to default etc directory passwd/group too. What is > the best numerical value, if any, for www UID/GID? The convention I've seen most often (and I also agree with for a variety of reasons) for services that run on ports < 1024 is to use the IANA service name and port. So, this really should have been user/group name http. Using www isn't the end of the world, since www is a known alias for http, but http is a better choice. I would like to suggest that we change this to http before we go too much further down this road. (Although frankly I think it's a bad idea.) This convention isn't foolproof, as many systems (like ours) have standard user accounts in the < 1024 range already, but using this convention where it doesn't conflict with existing users helps prevent conflicts across different platforms in the same enterprise. FWIW, you can use this convention for services that run on ports > 1023 as well, although that's often more difficult to enforce, particularly at sites with a lot of users. > Any other comments, of course, welcome. If I'm doing the math right, you waited a whopping 2 hours between asking for comments and committing the changes to master.passwd and group. It's often been discussed that waiting at least 3 days between asking for comments and taking action is reasonable, to allow for people to have time to read their mail, consider a response, and get it distributed to the list. This is totally reasonable for a change of this nature which is by no means urgent. I'm rather annoyed that this was jumped into without adequate review. -- "We will not tire, we will not falter, and we will not fail." - George W. Bush, President of the United States September 20, 2001 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message