[ale] Apache/webhosting user/group security/config

greg at turnstep.com greg at turnstep.com
Wed Sep 19 08:37:41 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> And what other suEXEC configuration options should I consider?

http://httpd.apache.org/docs/suexec.html

> I'm being asked to create a user & group of "www" and to run
> httpd as this user & group.  (Currently, there is no user or
> group "www.")

This is a perfectly fine practice. As with the nobody user, the idea is to run 
httpd from a low-priviledge account. One reason 
to use "www" is to separate it from other things that may run 
as "nobody". But strictly speaking, neither is more secure or 
insecure than the other. Go with www:www.

> Additionally, I'm being asked to add "www" to the allowed/invited
> groups of a hosted user (in /etc/groups).

I think you are saying that a local user wants to belong to the 
group "www"? Not neccesary. You could limit all your web 
stuff to being owned by the group www and make it 
chmod 640, but the whole idea of of a web server is to serve 
files to the outside world, so they are, in effect, o+r anyway. 
The web server thttpd goes so far as to refuse to serve files 
on the local system that aren't world readable. There are some 
limited circumstances where this user's request might be valid, 
but we'd have to know some more information first.

> Can someone help me with a "good explanation" of why these
> are Bad Ideas (if indeed, they are bad, of course)?  Citable
> sources would be Most Appreciated, too.  :)

http://httpd.apache.org/docs
http://httpd.apache.org/docs/misc/security_tips.html
http://httpd.apache.org/docs/misc/FAQ.html
http://www.linuxplanet.com/linuxplanet/tutorials/1445/1/
http://builder.cnet.com/webbuilding/pages/Servers/Apache/ss02.html

and of course, this list is an excellent resource as well. :)

Greg Sabino Mullane
greg at turnstep.com PGP Key: 0x14964AC8 200109190835

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iQA/AwUBO6iREbybkGcUlkrIEQLA3ACfSJfaKZhmBnJJJGqQN4NM4+NPALY
AoNlF
webeU/bXU6L4uJGjuHTSoxPE
=jeCf
-----END PGP SIGNATURE-----

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list