Date: Tue, 18 Sep 2001 19:22:12 -0400 (EDT) From: Kenneth W Cochran <kwc@world.std.com> To: freebsd-stable@freebsd.org, freebsd-questions@freebsd.org Subject: Apache/webhosting user/group security/config Message-ID: <200109182322.TAA24517@world.std.com>
next in thread | raw e-mail | index | archive | help
Hello: I'm trying to set up a webhosting server and have some questions about "properly secured" Apache configuration. I've been digging through books, security/apache-related websites, and FreeBSD mail archives & so far, cannot find answers to my "situation." Background/current configuration: OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running. Web content is to be in its own filesystem, outside of any of the "system" directories (for example, outside of /usr and /var). The default installation of the apache port (1.3.20) operates httpd as user/group "nobody/nogroup" and the default apache+ssl port configuration runs httpd as user/group "nobody/nobody." (Question: How "sane" are these?") I need & plan to enable suEXEC & need to make sure that is properly done. (For examples, what should I use for suEXEC's document-root directory? And what other suEXEC configuration options should I consider?) Here are some things with which I'm having misgivings: I'm being asked to create a user & group of "www" and to run httpd as this user & group. Additionally, I'm being asked to add "www" to the allowed/invited groups of a hosted user (in /etc/groups). I've tried to explain that these are *very* bad ideas/practices but so far, I haven't been able to adequately explain that to the requesting parties. Can someone help me with a "good explanation" of why these are Bad Ideas (if indeed, they are bad, of course)? Citable sources would be Most Appreciated, too. :) I'd also appreciate pointers to other places (ie. mailing-lists) to ask if this is not "best/appropriate." :) Many thanks, -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109182322.TAA24517>