Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Oct 2001 08:12:49 -0400
From:      Yarema <yds@dppl.com>
To:        ports@FreeBSD.org
Cc:        Sheldon Hearn <sheldonh@starjuice.net>, "Andrey A. Chernov" <ache@nagual.pp.ru>
Subject:   Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned
Message-ID:  <864670000.1003407169@volyn.dppl.net>
In-Reply-To: <28552.1003405786@axl.seasidesoftware.co.za>
References:   <28552.1003405786@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
--On Thursday, October 18, 2001 13:49:46 +0200 Sheldon Hearn 
<sheldonh@starjuice.net> wrote:

>
>
> On Thu, 18 Oct 2001 15:43:06 +0400, "Andrey A. Chernov" wrote:
>
>> > Apache is not abusing nobody:nogroup -- users who don't configure
>> > their CGI  environment are.   The Right Thing is to run CGIs via
>> > suexec.
>>
>> No, Apache abuses nobody just running under it. It gains to it access
>> priveledges it must not have.
>
> Now you've TOTALLY lost me.  You're saying processes shouldn't be run as
> nobody? :-)

OK, I'm kinda lost here too.  I understand that nobody:nogroup should not 
own any files.  I do not understand that 'Apache abuses nobody just running 
under it' by gaining 'access to priveledges it must not have.'  What 
exactly are these priveledges 'it must not have?'  privileges to write 
files?  What is the proper use for nobody:nogroup?

>> > suexec works better if apache does run as nobody:nogroup.
>>
>> No. suexec works equally for any user/group.
>
> Exactly. :-)
>
> Ciao,
> Sheldon.

That may be true about suexec.  But why is nobody:nogroup any less or more 
equal than any other group for this purpose?  I always thought it an 
advantage to run apache+suexec as the least privileged user:group which 
never ownes any files.

I'm not trying to be difficult -- I'm just looking to learn something new. 
Or in this case probably something very old. :)

-- 
Yarema

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864670000.1003407169>