Re: Privsep
From: Erick Mechler (emechler@techometer.net)
Date: 12/10/02
- Next message: Mike Hoskins: "Re: (slightly OT) IPSec with dynamic IP"
- Previous message: Duckbreath: "Privsep"
- In reply to: Duckbreath: "Privsep"
- Next in thread: Mike Hoskins: "Re: Privsep"
- Reply: Mike Hoskins: "Re: Privsep"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 10 Dec 2002 11:36:59 -0800 From: Erick Mechler <emechler@techometer.net> To: Duckbreath <duckbreath@yahoo.com>
:: So how do I get sshd to run off the sshd user?
:: Would apache be cooperative with the www user as well,
:: or is that more tricky?
Privsep is just an sshd thing right now. If you do a system upgrade via
source, the new user should get setup, and the appropriate chroot
environment will as well (/var/empty). To enable sshd privsep, set
UsePrivilegeSeparation yes
in /etc/ssh/sshd_config. As for running Apache as the www user, set
User www
Group www
in your httpd.conf file. Make sure that the user and group you choose can
read all the files in your DocumentRoot, too. The parent process will
continue to run as root (binding to privileged ports and all), but the
children will run as www).
Hope this helps...
Cheers - Erick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Mike Hoskins: "Re: (slightly OT) IPSec with dynamic IP"
- Previous message: Duckbreath: "Privsep"
- In reply to: Duckbreath: "Privsep"
- Next in thread: Mike Hoskins: "Re: Privsep"
- Reply: Mike Hoskins: "Re: Privsep"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
