On Mon, 17 Nov 2003, angico wrote: > i was wandering why the first process of apache runs as superuser, > while the others run as nobody, as shown in the excerpt of "ps -aux" > below. is it ok? doesn't it open any security breach? Another poster replied about root. I am going to reply about "nobody". I believe using "nobody" as the User is bad too. The nobody user is the user that should be consider to have no privileges. But it is often abused to run various services and tasks where it creates files (maybe like a locate database or maybe a CGI makes some data file). So now it is not unprivileged because your nobody-running webserver may be able to modify files entirely unrelated. Also, in website hosting situations where there are many websites from different customers (and using CGI or SSI), they may be able to modify data owned by "nobody" created by the other websites. Not good. It is better to have a dedicated user and group (like "www-data" or "web") for your Apache (and do not use that user and group for anything else). And if hosting various websites (virtual hosting), then run each as their own dedicated user and group. Jeremy C. Reed http://bsd.reedmedia.net/ ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
