Date: Wed, 07 Feb 2001 01:40:12 -0800 From: Kris Kennaway <kris@obsecurity.org> To: ports@FreeBSD.org Subject: Needed: apache/httpd ports to use 'www' user Message-ID: <20010207014012.B22502@mollari.cthul.hu>
next in thread | raw e-mail | index | archive | help
--NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject says it all - we need to update the various webserver ports (and any others) to not use the 'nobody' user, but to use a 'www' user (which should be added to the base system, IMO). The 'nobody' user should NOT confer any privileges on people who hold it - the fact that e.g. apache runs as the nobody user is certainly a privilege, as it will let attackers compromise the website if they gain access to the nobody user by breaking some other utility. I've had discussions with Ade about this before, but don't know the current status of the changes. Kris --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6gRf8Wry0BWjoQKURAhUJAJ4skurKM9LgJOo6/85E6haaa3DsaQCcCgRp vU02/1IVT/MtBnosLO4DKaU= =NoEd -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010207014012.B22502>