> > i was wandering why the first process of apache runs as superuser, > > while the others run as nobody, as shown in the excerpt of "ps -aux" > > below. is it ok? doesn't it open any security breach? > > Another poster replied about root. I am going to reply about "nobody". > > I believe using "nobody" as the User is bad too. The nobody user is the > user that should be consider to have no privileges. > > But it is often abused to run various services and tasks where it creates > files (maybe like a locate database or maybe a CGI makes some data file). > So now it is not unprivileged because your nobody-running webserver may > be able to modify files entirely unrelated. ... To add to Jeremy's points, with which I totally agree, I'd add/flesh out one point. Long ago, folks ran unpriviledged things as nobody. All unpriviledged things. This meant that if someone compromised your anonymous ftp server that ran as nobody, they had read access to your web documents and CGIs (which too frequently contained passwords) and such. It makes much more sense to have a dedicated dummy user for each service. The nobody user should be avoided, as should 'doubling up' on a dummy user. -- Brian Hatch Does the name Systems and Pavlov ring Security Engineer a bell? http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
pgp00009.pgp
Description: PGP signature
