[users@httpd] Is a home directory for the httpd user safe?

[Tom Browder <to...@gmail.com>]

In order to run a service behind my reverse proxy I need to have a defined
user with some kind of writeable home directory.

The easy choice to get started is to create a /home/apache directory for my
apache user.

Is that safe or should I do something else?

I do have my systemd service file working, so I can create a new user for
that purpose if need be.

Thanks.

-Tom

Re: [users@httpd] Is a home directory for the httpd user safe?

[Tom Browder <to...@gmail.com>]

On Sun, Feb 27, 2022 at 3:24 PM Stormy <st...@stormy.ca> wrote:
>
> On 2022-02-27 10:31 a.m., Tom Browder wrote:
> > On Sun, Feb 27, 2022 at 09:11 Jeroen Verhoeckx
> > <j....@protonmail.com.invalid> wrote:
> >
> >> Why do you need a predefined user with a writeable home directory?
...

Sorry, I was not very clear: Raku has expectations about library
locations, etc., and I'm trying to sort out debugging info in a
strange (to me), hybrid environment. As it turns out, I was using
journalctl incorrectly and seeing old log info which misled me into
thinking I had a different Raku problem. For some reason, the Raku
module I'm using does have problems, but not directly associated with
Apache or systemd.

> Please do not blame your problems on "Raku" -- a quick look shows it to
> be a derivative of c or c++.  I started in FORTRAN in 1957, cobol in
> 1960, and have never, ever, blamed coding for any failure -- crap in,
> crap out -- YMMV.

I started in FORTRAN in 1961, and other languages since. I am a core
developer for  Raku, and I have never "blamed" the languages for my
failures. However, I do blame the language or program when they have
bugs. The problem then becomes whose bug ("blame") is it?  Usually it
is my problem, but this situation has been exasperating for me because
debugging it is hard and my program (and another user's published
module) seemed to behave differently in the systemd environment versus
my user space.

Best regards,

-Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is a home directory for the httpd user safe?

[Stormy <st...@stormy.ca>]

On 2022-02-27 10:31 a.m., Tom Browder wrote:
> On Sun, Feb 27, 2022 at 09:11 Jeroen Verhoeckx
> <j....@protonmail.com.invalid> wrote:
> 
>> Why do you need a predefined user with a writeable home directory?
> 
> 
> Because that user executes the server loop behind the reverse proxy. The
> program running that server uses the Raku programming language which needs
> some default settings to execute.  I may be able to handle some of that in
> the governing systemd service file, but this way seems easier.

Please be more specific. "the server loop" behind "the reverse proxy" is 
totally meaningless without context.

Please do not blame your problems on "Raku" -- a quick look shows it to 
be a derivative of c or c++.  I started in FORTRAN in 1957, cobol in 
1960, and have never, ever, blamed coding for any failure -- crap in, 
crap out -- YMMV.

Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is a home directory for the httpd user safe?

[Tom Browder <to...@gmail.com>]

On Sun, Feb 27, 2022 at 09:11 Jeroen Verhoeckx
<j....@protonmail.com.invalid> wrote:

> Why do you need a predefined user with a writeable home directory?


Because that user executes the server loop behind the reverse proxy. The
program running that server uses the Raku programming language which needs
some default settings to execute.  I may be able to handle some of that in
the governing systemd service file, but this way seems easier.

-Tom

Re: [users@httpd] Is a home directory for the httpd user safe?

[Jeroen Verhoeckx <j....@protonmail.com.INVALID>]

Why do you need a predefined user with a writeable home directory?

I have one, but I only use it to log in the system with ssh.

You can save all configuration in the directory '/etc/httpd/conf.d' (on RHEL).

- Jeroen


--------------------------------------------------------
Support the independent web, use Firefox



------- Original Message -------

On Sunday, February 27th, 2022 at 2:39 PM, Tom Browder <to...@gmail.com> wrote:

> In order to run a service behind my reverse proxy I need to have a defined user with some kind of writeable home directory.
>
> The easy choice to get started is to create a /home/apache directory for my apache user.
>
> Is that safe or should I do something else?
>
> I do have my systemd service file working, so I can create a new user for that purpose if need be.
>
> Thanks.
>
> -Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Is a home directory for the httpd user safe?

[Paul <st...@stormy.ca>]

On 2022-02-27 8:39 a.m., Tom Browder wrote:

Your query is probably too vague for a helpful response.  What system 
are you using?  What FAQs and documents have you read? What specific 
details are unclear?

> In order to run a service behind my reverse proxy I need to have a defined
> user with some kind of writeable home directory.

What "service"?  What "reverse proxy"?  What is "some kind of 
writeable"? Any directory chmod'ed to 222 would be "writaeable" by 
anybody (but you might need 666 to have anybody read it)
> 
> The easy choice to get started is to create a /home/apache directory for my
> apache user.

www-data (the "industry standard user") is most often not installed in 
/home.  What documentation are you relying upon for your "easy choice"?

> Is that safe or should I do something else?

Depends on user/group permissions -- again 222 is probably (but not 
guaranteed) safe but not very functional
> 
> I do have my systemd service file working, so I can create a new user for
> that purpose if need be.

If your computer actually boots to a usable interface, systemd is 
probably running...

Paul
---
Sunday's tired old sys-admin

> 
> Thanks.
> 
> -Tom
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org