Re: user running apache daemon

From: Jeremy C. Reed (reed_at_reedmedia.net)
Date: 11/17/03

  • Next message: Brian Hatch: "Re: user running apache daemon" 
    Date: Mon, 17 Nov 2003 09:41:50 -0800 (PST)
To: security-discuss@linuxsecurity.com

    On Mon, 17 Nov 2003, angico wrote:

    > i was wandering why the first process of apache runs as superuser,
    > while the others run as nobody, as shown in the excerpt of "ps -aux"
    > below. is it ok? doesn't it open any security breach?

    Another poster replied about root. I am going to reply about "nobody".

    I believe using "nobody" as the User is bad too. The nobody user is the
    user that should be consider to have no privileges.

    But it is often abused to run various services and tasks where it creates
    files (maybe like a locate database or maybe a CGI makes some data file).
    So now it is not unprivileged because your nobody-running webserver may
    be able to modify files entirely unrelated.

    Also, in website hosting situations where there are many websites from
    different customers (and using CGI or SSI), they may be able to modify
    data owned by "nobody" created by the other websites. Not good.

    It is better to have a dedicated user and group (like "www-data" or "web")
    for your Apache (and do not use that user and group for anything else).
    And if hosting various websites (virtual hosting), then run each as their
    own dedicated user and group.

       Jeremy C. Reed
       http://bsd.reedmedia.net/

    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.

  • Next message: Brian Hatch: "Re: user running apache daemon"