Reply With QuoteSince I am not god here take this with a grain of salt... I would say that since most of the time it is daemonized, it is run by root. So initially off the permissions are all there. Then as specific users the subprocesses can be run.
Hi,
Apps like apache and others should run as root. What are the best practices for creating these users? And how would you get say root to run a script as one?
# how do you get this to not add a /home/procuser dir?
adduser -s /sbin/nologin procuser
Thanx,
Since I am not god here take this with a grain of salt... I would say that since most of the time it is daemonized, it is run by root. So initially off the permissions are all there. Then as specific users the subprocesses can be run.
On my webhost that I pay for, apache runs as "nobody", on my RH9 machine, it runs as "apache", I would say you don't want to have it run as root. Should be a place in the config file to specify who to run as. As for adding the user, I would probably just edit the /etc/passwd file to add a user account for apache (or have it run as nobody I guess).
Hi,
Yes, but when i bin/apachectl sslstart; I have to do it as ROOT as I can't su as nobody. but the threads are run as nobody. How does that work?
thanx,
[quote author=Blaqb0x link=board=5;threadid=8032;start=0#msg73745 date=1068657402] Yes, but when i bin/apachectl sslstart; I have to do it as ROOT as I can't su as nobody. but the threads are run as nobody. How does that work?[/quote]
Any port <1024 can not be used by anyone aside from root, this is a security feature, let's say apache crashed and some user on your box started up their own webserver on port 80 (because it's open now that apache is out of the way) that looked like yours but stole passwords or something.
So when you do the apachectl sslstart it is run as root, ports 80 and 443 (for https) are grabbed, then the process switches to the apache or nobody user.
you choose what for it to run as in httpd.conf i like nobody because running things as root is bad
Running things as user 'nobody' isn't a lot better these days than running them as root. Over time, quite a number of things started using this scheme, which has the effect of completely defeating the purpose of the 'nobody' user.
With so many things using it, it's not really as 'non-priveleged' as it once was, so if someone can commandeer the 'nobody' account, they can do much more harm than used to be the case.
Create a user for each service you're providing from the machine. Lock down the account, and you should be ok. Apache, IIRC, runs a sort of 'superdaemon' as root - a parent process whose only real job is to manage the child processes, who all run as 'apache' or 'httpd' or something like that. Again, I might be remembering wrong, but I thought that this was done in response to a security concern that was diverted by the apache developers by implementing this sort of 'privelege separation' scheme.
I believe openssh does the same thing these days (or, it's an option on some platforms).
Posting Permissions
Bookmarks