Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Sep 2001 10:20:40 +1000
From:      "Haikal Saadh" <wyldephyre2@yahoo.com>
To:        =?iso-8859-1?Q?Boris_K=F6ster_?= <koester@x-itec.de>, =?iso-8859-1?Q?S=F8ren_Neigaard?= <neigaard@e-box.dk>, <freebsd-newbies@FreeBSD.ORG>
Cc:        <qustions@freebsd.org>
Subject:   RE: httpd user for Apache?
Message-ID:  <PAELLGOEIMDLEJNEBOBOIEDACHAA.wyldephyre2@yahoo.com>
In-Reply-To: <3B956978.2775.279CA6EC@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help

[CC'ed to questions]

> -----Original Message-----
> From: owner-freebsd-newbies@FreeBSD.ORG
> [mailto:owner-freebsd-newbies@FreeBSD.ORG]On Behalf Of Boris Köster
> Sent: Wednesday, 5 September 2001 7:53 AM
> To: Søren Neigaard; freebsd-newbies@FreeBSD.ORG
> Subject: Re: httpd user for Apache?
>
>
> On 4 Sep 2001 at 20:53, Søren Neigaard wrote:
>
> > I have read somewhere that it is a good idea to make you'r
> > applications run under specific users, and not under root. How is the
> > best way to configure such a user, as an example a user for the Apache
> > httpd deamon (i got so far as to name the user httpd). Should it be in
> > a specific group, have restricted rights and so on...
>
> httpd.conf [snip]:
>
>   245 # If you wish httpd to run as a different user or group,
> you must run
>     246 # httpd as root initially and it will switch.
>     247 #
>     248 # User/Group: The name (or #number) of the user/group to
> run httpd as.
>     249 #  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
>     250 #  . On HPUX you may not be able to use shared memory as
> nobody, and the
>     251 #    suggested workaround is to create a user www and use
> that user.
>     252 #  NOTE that some kernels refuse to setgid(Group) or
> semctl(IPC_SET)
>     253 #  when the value of (unsigned)Group is above 60000;
>     254 #  don't use Group nobody on these systems!
>     255 #
>     256 User nobody
>     257 Group nobody
>
>
> Tip: search for "SuExec" and CGIwrap somewhere for other, more or
> less paranoia
> security *gg
>
>
> You can play the same game with user/group in your virtual domains.

One of the reason for running apache as a separate user/group (such as
www/www, as I do) would be that certain CGI scripts expect to be read by the
webserver, and not anyone else, and there are quite a few processes that run
as nobody by default. Am i right on this?


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PAELLGOEIMDLEJNEBOBOIEDACHAA.wyldephyre2>