Date: Tue, 4 Sep 2001 23:53:28 +0200 From: "=?ISO-8859-1?Q?Boris_K=F6ster_?=" <koester@x-itec.de> To: Søren Neigaard <neigaard@e-box.dk>, freebsd-newbies@FreeBSD.ORG Subject: Re: httpd user for Apache? Message-ID: <3B956978.2775.279CA6EC@localhost> In-Reply-To: <13211784995.20010904205308@e-box.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4 Sep 2001 at 20:53, S=F8ren Neigaard wrote:
> I have read somewhere that it is a good idea to make you'r
> applications run under specific users, and not under root. How is the
> best way to configure such a user, as an example a user for the Apache
> httpd deamon (i got so far as to name the user httpd). Should it be in
> a specific group, have restricted rights and so on...
httpd.conf [snip]:
245 # If you wish httpd to run as a different user or group, you must ru=
n
246 # httpd as root initially and it will switch.
247 #
248 # User/Group: The name (or #number) of the user/group to run httpd=
as.
249 # . On SCO (ODT 3) use "User nouser" and "Group nogroup".
250 # . On HPUX you may not be able to use shared memory as nobody, a=
nd the
251 # suggested workaround is to create a user www and use that use=
r.
252 # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SE=
T)
253 # when the value of (unsigned)Group is above 60000;
254 # don't use Group nobody on these systems!
255 #
256 User nobody
257 Group nobody
Tip: search for "SuExec" and CGIwrap somewhere for other, more or less par=
anoia
security *gg
You can play the same game with user/group in your virtual domains.
--
Boris K=F6ster [MCSE|CNA]
[C / C++ / PHP / FreeBSD / Security / Consulting] .:=3D FREELANCER =3D:.
Maintainer of IPSEC Mini-HowTo | QSP | and more.
HTTP://www.x-itec.de * koester@x-itec.de
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B956978.2775.279CA6EC>