Date: Thu, 18 Oct 2001 00:12:54 -0700 (PDT) From: Doug Barton <DougB@FreeBSD.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: ports@FreeBSD.org, <developers@FreeBSD.org> Subject: Re: HEADS UP: Apache port change from nobody:nogroup to www:www planned Message-ID: <20011017234403.W22111-100000@db-cvad-1-tmp.yahoo.com> In-Reply-To: <20011017155854.A43168@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 Oct 2001, Andrey A. Chernov wrote:
> Due to Apache mis-use of nobody:nogroup UID/GID (user nobody must not own
> any file in the system),
I'm a little confused by what you mean here. Is our apache port
setting ownership on any files to user nobody? If so, it should be fixed
not to do that. The point of user nobody is to have a user that does not
own any file on the system (as you describe) but is able to read files
that are world readable. Take a look at /etc/periodic/weekly/310.locate
for a good example. Can you describe what exactly apache is doing wrong?
> I plan switch apache to www:www instead. It
> breaks some related ports and they should be fixed by their maintainers.
> Moreover, it breaks existen cgi-bin-write setups too, group nogroup should
> be changed to www by webmasters.
I agree that sa's that need their cgi processes to write files
should take appropriate steps to make sure that their apache user/group
permissions are safe, but I'm afraid that the step you're taking is going
to mask the problem and give people a false sense of security.
> Questions are:
>
> What is the best way to _automatically_ add www:www to
> /etc/{passwd,group}? I think about 'pw' command, but it will be nice if
> somebody already have working example.
/usr/ports/mail/majordomo/scripts/createuser One thing we might
consider is making a nice /bin/sh script that takes arguments for adding
users/groups and sticking it in ports/Mk so that we can have more
standardization and less code bloat.
> I plan to add www:www to default etc directory passwd/group too. What is
> the best numerical value, if any, for www UID/GID?
The convention I've seen most often (and I also agree with for a
variety of reasons) for services that run on ports < 1024 is to use the
IANA service name and port. So, this really should have been user/group
name http. Using www isn't the end of the world, since www is a known
alias for http, but http is a better choice. I would like to suggest that
we change this to http before we go too much further down this road.
(Although frankly I think it's a bad idea.)
This convention isn't foolproof, as many systems (like ours) have
standard user accounts in the < 1024 range already, but using this
convention where it doesn't conflict with existing users helps prevent
conflicts across different platforms in the same enterprise. FWIW, you can
use this convention for services that run on ports > 1023 as well,
although that's often more difficult to enforce, particularly at sites
with a lot of users.
> Any other comments, of course, welcome.
If I'm doing the math right, you waited a whopping 2 hours between
asking for comments and committing the changes to master.passwd and group.
It's often been discussed that waiting at least 3 days between asking for
comments and taking action is reasonable, to allow for people to have time
to read their mail, consider a response, and get it distributed to the
list. This is totally reasonable for a change of this nature which is by
no means urgent. I'm rather annoyed that this was jumped into without
adequate review.
--
"We will not tire, we will not falter, and we will not fail."
- George W. Bush, President of the United States
September 20, 2001
Do YOU Yahoo!?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011017234403.W22111-100000>