From owner-freebsd-ports Wed Feb 7 5:42: 0 2001 Delivered-To: freebsd-ports@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 5066737B401 for ; Wed, 7 Feb 2001 05:41:43 -0800 (PST) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id HAA26196; Wed, 7 Feb 2001 07:41:20 -0600 (CST) (envelope-from jeff-ml@mountin.net) Received: from dial-85.max1.wa.cyberlynk.net(207.227.118.85) by peak.mountin.net via smap (V1.3) id sma026192; Wed Feb 7 07:41:18 2001 Message-Id: <4.3.2.20010207072120.00b21730@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 07 Feb 2001 07:39:14 -0600 To: Neil Blakey-Milner , Kris Kennaway From: "Jeffrey J. Mountin" Subject: Re: Needed: apache/httpd ports to use 'www' user Cc: ports@FreeBSD.ORG In-Reply-To: <20010207115736.A37769@rapier.smartspace.co.za> References: <20010207014012.B22502@mollari.cthul.hu> <20010207014012.B22502@mollari.cthul.hu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:57 AM 2/7/01 +0200, Neil Blakey-Milner wrote: >On Wed 2001-02-07 (01:40), Kris Kennaway wrote: > > Subject says it all - we need to update the various webserver ports > > (and any others) to not use the 'nobody' user, but to use a 'www' user > > (which should be added to the base system, IMO). The 'nobody' user > > should NOT confer any privileges on people who hold it - the fact that > > e.g. apache runs as the nobody user is certainly a privilege, as it > > will let attackers compromise the website if they gain access to the > > nobody user by breaking some other utility. > > > > I've had discussions with Ade about this before, but don't know the > > current status of the changes. > >I prefer a "httpd" bikeshed - it's less likely to have been used by >others (and I've seen lots of places with a "www" group, and >group-writable web pages). I personally use "apache", but that may be >too specific; but I like specific. Same here. A generic user/group for www (or httpd) could easily be changed to "apache" or just change the user name. There was brief talk of this ages back, but mention of running more than one daemon or clobbering/touching /etc files seemed to kill the idea. Forget the specifics. www:*:80:80::0:0:Apache Web Server:/nonexistent:/sbin/nologin Or "HTTP Daemon" if you prefer that color. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message