Date: Wed, 19 Sep 2001 10:26:01 +0100 From: daniel lawrence <danny@AlphaZed.com> To: Kenneth W Cochran <kwc@world.std.com> Cc: freebsd-questions@freebsd.org Subject: Re: Apache/webhosting user/group security/config Message-ID: <20010919102601.D27122@alphazed.com> In-Reply-To: <200109182322.TAA24517@world.std.com>; from Kenneth W Cochran on Tue, Sep 18, 2001 at 07:22:12PM -0400 References: <200109182322.TAA24517@world.std.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 18, 2001 at 07:22:12PM -0400, Kenneth W Cochran wrote: > Hello: > > I'm trying to set up a webhosting server and have some questions > about "properly secured" Apache configuration. I've been digging > through books, security/apache-related websites, and FreeBSD mail > archives & so far, cannot find answers to my "situation." > > Background/current configuration: > > OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running. > > Web content is to be in its own filesystem, outside of any of the > "system" directories (for example, outside of /usr and /var). > > The default installation of the apache port (1.3.20) operates > httpd as user/group "nobody/nogroup" and the default apache+ssl > port configuration runs httpd as user/group "nobody/nobody." > (Question: How "sane" are these?") The intent of the usual nobody/nobody configuration for any daemon is to ensure the process runs with as few privileges as possible. The thinking is that if the process does not run as any system user or as any normal user, it can do minimal damage if it goes wrong. This breaks down, however, when you start having additional unrelated daemons also running as nobody. At this point you introduce the possibility that they may trample over one another. For example, if one process creates a file, it is owned by 'nobody'. The other daemon then has full permission to modify this file. There are other issues related to resource limits which get muddied when more than one unrelated application runs under the same identity. > I need & plan to enable suEXEC & need to make sure that is > properly done. (For examples, what should I use for suEXEC's > document-root directory? And what other suEXEC configuration > options should I consider?) http://httpd.apache.org/docs/suexec.html > Here are some things with which I'm having misgivings: > > I'm being asked to create a user & group of "www" and to run > httpd as this user & group. It would be a good idea to create a user and group for the sole purpose of providing an identity for the running web server. But configuration files do not need to be owned or writable by this user. > Additionally, I'm being asked to add "www" to the allowed/invited > groups of a hosted user (in /etc/groups). It would be best not to add users to your web server group. Instead, configure the web document directory permissions such that the web server itself may only read files. This can be achieved by making the document directory owned by the hosted user, in the web server group, and with 750 permissions. (Users should be in their own groups, btw) In addition to limiting the web server's activity, it keeps other users from seeing the contents of these document directories directly. If you run the suEXEC wrapper, the cgi-bin directory should be in the user's group rather than the web server group. chflags(1) may be used to prevent the user from messing up your carefully constructed directory permissions. > I've tried to explain that these are *very* bad ideas/practices > but so far, I haven't been able to adequately explain that to > the requesting parties. > > Can someone help me with a "good explanation" of why these > are Bad Ideas (if indeed, they are bad, of course)? Citable > sources would be Most Appreciated, too. :) > > I'd also appreciate pointers to other places (ie. mailing-lists) > to ask if this is not "best/appropriate." :) > > Many thanks, > > -kc -- daniel lawrence AlphaZed Ltd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919102601.D27122>