From owner-freebsd-ports Wed Feb 7 1:58:17 2001 Delivered-To: freebsd-ports@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 1B09037B6A0 for ; Wed, 7 Feb 2001 01:57:58 -0800 (PST) Received: (qmail 38270 invoked by uid 1001); 7 Feb 2001 09:57:37 -0000 Date: Wed, 7 Feb 2001 11:57:37 +0200 From: Neil Blakey-Milner To: Kris Kennaway Cc: ports@FreeBSD.org Subject: Re: Needed: apache/httpd ports to use 'www' user Message-ID: <20010207115736.A37769@rapier.smartspace.co.za> References: <20010207014012.B22502@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010207014012.B22502@mollari.cthul.hu>; from kris@obsecurity.org on Wed, Feb 07, 2001 at 01:40:12AM -0800 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed 2001-02-07 (01:40), Kris Kennaway wrote: > Subject says it all - we need to update the various webserver ports > (and any others) to not use the 'nobody' user, but to use a 'www' user > (which should be added to the base system, IMO). The 'nobody' user > should NOT confer any privileges on people who hold it - the fact that > e.g. apache runs as the nobody user is certainly a privilege, as it > will let attackers compromise the website if they gain access to the > nobody user by breaking some other utility. > > I've had discussions with Ade about this before, but don't know the > current status of the changes. I prefer a "httpd" bikeshed - it's less likely to have been used by others (and I've seen lots of places with a "www" group, and group-writable web pages). I personally use "apache", but that may be too specific; but I like specific. I've been working on moving zope to user zope - it's also the way I run it by default. "squid" is another good target. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message