[ale] Apache/webhosting user/group security/config
greg at turnstep.com
greg at turnstep.com
Wed Sep 19 08:37:41 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> And what other suEXEC configuration options should I consider?
http://httpd.apache.org/docs/suexec.html
> I'm being asked to create a user & group of "www" and to run
> httpd as this user & group. (Currently, there is no user or
> group "www.")
This is a perfectly fine practice. As with the nobody user, the idea is to run
httpd from a low-priviledge account. One reason
to use "www" is to separate it from other things that may run
as "nobody". But strictly speaking, neither is more secure or
insecure than the other. Go with www:www.
> Additionally, I'm being asked to add "www" to the allowed/invited
> groups of a hosted user (in /etc/groups).
I think you are saying that a local user wants to belong to the
group "www"? Not neccesary. You could limit all your web
stuff to being owned by the group www and make it
chmod 640, but the whole idea of of a web server is to serve
files to the outside world, so they are, in effect, o+r anyway.
The web server thttpd goes so far as to refuse to serve files
on the local system that aren't world readable. There are some
limited circumstances where this user's request might be valid,
but we'd have to know some more information first.
> Can someone help me with a "good explanation" of why these
> are Bad Ideas (if indeed, they are bad, of course)? Citable
> sources would be Most Appreciated, too. :)
http://httpd.apache.org/docs
http://httpd.apache.org/docs/misc/security_tips.html
http://httpd.apache.org/docs/misc/FAQ.html
http://www.linuxplanet.com/linuxplanet/tutorials/1445/1/
http://builder.cnet.com/webbuilding/pages/Servers/Apache/ss02.html
and of course, this list is an excellent resource as well. :)
Greg Sabino Mullane
greg at turnstep.com PGP Key: 0x14964AC8 200109190835
-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html
iQA/AwUBO6iREbybkGcUlkrIEQLA3ACfSJfaKZhmBnJJJGqQN4NM4+NPALY
AoNlF
webeU/bXU6L4uJGjuHTSoxPE
=jeCf
-----END PGP SIGNATURE-----
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list