Results 1 to 7 of 7

Thread: Best practice for creating process users

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    Best practice for creating process users

    Hi,

    Apps like apache and others should run as root. What are the best practices for creating these users? And how would you get say root to run a script as one?

    # how do you get this to not add a /home/procuser dir?
    adduser -s /sbin/nologin procuser

    Thanx,

  2. #2
    Moderator
    Good Guru
    Schotty's Avatar
    Join Date
    Jul 2001
    Location
    Milwaukee, WI
    Posts
    5,760

    Re:Best practice for creating process users

    Since I am not god here take this with a grain of salt... I would say that since most of the time it is daemonized, it is run by root. So initially off the permissions are all there. Then as specific users the subprocesses can be run.

  3. #3
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Best practice for creating process users

    On my webhost that I pay for, apache runs as "nobody", on my RH9 machine, it runs as "apache", I would say you don't want to have it run as root. Should be a place in the config file to specify who to run as. As for adding the user, I would probably just edit the /etc/passwd file to add a user account for apache (or have it run as nobody I guess).


  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    417

    Re:Best practice for creating process users

    Hi,

    Yes, but when i bin/apachectl sslstart; I have to do it as ROOT as I can't su as nobody. but the threads are run as nobody. How does that work?

    thanx,

  5. #5

    Re:Best practice for creating process users

    [quote author=Blaqb0x link=board=5;threadid=8032;start=0#msg73745 date=1068657402] Yes, but when i bin/apachectl sslstart; I have to do it as ROOT as I can't su as nobody. but the threads are run as nobody. How does that work?[/quote]

    Any port <1024 can not be used by anyone aside from root, this is a security feature, let's say apache crashed and some user on your box started up their own webserver on port 80 (because it's open now that apache is out of the way) that looked like yours but stole passwords or something.

    So when you do the apachectl sslstart it is run as root, ports 80 and 443 (for https) are grabbed, then the process switches to the apache or nobody user.

  6. #6

    Re:Best practice for creating process users

    you choose what for it to run as in httpd.conf i like nobody because running things as root is bad

  7. #7

    Re:Best practice for creating process users

    Running things as user 'nobody' isn't a lot better these days than running them as root. Over time, quite a number of things started using this scheme, which has the effect of completely defeating the purpose of the 'nobody' user.

    With so many things using it, it's not really as 'non-priveleged' as it once was, so if someone can commandeer the 'nobody' account, they can do much more harm than used to be the case.

    Create a user for each service you're providing from the machine. Lock down the account, and you should be ok. Apache, IIRC, runs a sort of 'superdaemon' as root - a parent process whose only real job is to manage the child processes, who all run as 'apache' or 'httpd' or something like that. Again, I might be remembering wrong, but I thought that this was done in response to a security concern that was diverted by the apache developers by implementing this sort of 'privelege separation' scheme.

    I believe openssh does the same thing these days (or, it's an option on some platforms).


Similar Threads

  1. SIOCADDRT: No such process
    By piyushpandey in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 04-30-2011, 05:21 PM
  2. creating vertual users
    By lasanthaindika in forum Linux - Software, Applications & Programming
    Replies: 6
    Last Post: 09-22-2007, 09:58 AM
  3. New PET: Linux VM in Practice
    By Outlaw in forum Linux - General Topics
    Replies: 0
    Last Post: 03-10-2006, 12:54 AM
  4. Odd Looking Process
    By Pleiades in forum Linux - General Topics
    Replies: 5
    Last Post: 08-18-2002, 07:39 PM
  5. Very long process, but fun
    By paradox in forum Linux - General Topics
    Replies: 6
    Last Post: 11-13-2001, 10:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •