Date: Thu, 18 Oct 2001 08:12:49 -0400 From: Yarema <yds@dppl.com> To: ports@FreeBSD.org Cc: Sheldon Hearn <sheldonh@starjuice.net>, "Andrey A. Chernov" <ache@nagual.pp.ru> Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned Message-ID: <864670000.1003407169@volyn.dppl.net> In-Reply-To: <28552.1003405786@axl.seasidesoftware.co.za> References: <28552.1003405786@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Thursday, October 18, 2001 13:49:46 +0200 Sheldon Hearn <sheldonh@starjuice.net> wrote: > > > On Thu, 18 Oct 2001 15:43:06 +0400, "Andrey A. Chernov" wrote: > >> > Apache is not abusing nobody:nogroup -- users who don't configure >> > their CGI environment are. The Right Thing is to run CGIs via >> > suexec. >> >> No, Apache abuses nobody just running under it. It gains to it access >> priveledges it must not have. > > Now you've TOTALLY lost me. You're saying processes shouldn't be run as > nobody? :-) OK, I'm kinda lost here too. I understand that nobody:nogroup should not own any files. I do not understand that 'Apache abuses nobody just running under it' by gaining 'access to priveledges it must not have.' What exactly are these priveledges 'it must not have?' privileges to write files? What is the proper use for nobody:nogroup? >> > suexec works better if apache does run as nobody:nogroup. >> >> No. suexec works equally for any user/group. > > Exactly. :-) > > Ciao, > Sheldon. That may be true about suexec. But why is nobody:nogroup any less or more equal than any other group for this purpose? I always thought it an advantage to run apache+suexec as the least privileged user:group which never ownes any files. I'm not trying to be difficult -- I'm just looking to learn something new. Or in this case probably something very old. :) -- Yarema To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864670000.1003407169>