You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "M.D. DeWar" <ma...@s-wit.net> on 2003/11/14 17:52:44 UTC
[users@httpd] user/group setup for files in document and cgi dirs
Hello
I think I may have asked this before but don't recall and not sure if it was
on this list.
It says to run the apache daemon as nobody user and a nobody group.
That is done.
My questions concern the files in the cgi-bin and the document root.
Should those files be run as nobody.nobody also ?
Or do they need to be root.wheel (I don't think so but being a newbie I am
not sure.) or some other user group ?
I have some programs I installed and the user group does not exsist and they
seem to run. So kinda confused.
Thanks
Mark
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user/group setup for files in document and cgi dirs
Posted by "M.D. DeWar" <ma...@s-wit.net>.
Thanks.
one quickie.
Since its alreayd installed and running will doing the chmod/chown it
suggest cuz me problems with already running programs/services etc ?
thanks
mark
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: <us...@httpd.apache.org>
Sent: Friday, November 14, 2003 12:23 PM
Subject: Re: [users@httpd] user/group setup for files in document and cgi
dirs
>
> On Fri, 14 Nov 2003, Luis Gallegos wrote:
>
> > You wrote:
> > Should those files be run as nobody.nobody also ?
> >
> > The files in the cgi-bin directory can be from any owner, but it is
> > better that they be from nobody.
>
> I disagree on that. If they are owned by nobody, then if somebody
> compromises the web server, they could modify these files.
>
> The safest thing is for them to be owned by root with only read/execute
> permission for group/other. See:
> http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user/group setup for files in document and cgi
dirs
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 14 Nov 2003, Luis Gallegos wrote:
> You wrote:
> Should those files be run as nobody.nobody also ?
>
> The files in the cgi-bin directory can be from any owner, but it is
> better that they be from nobody.
I disagree on that. If they are owned by nobody, then if somebody
compromises the web server, they could modify these files.
The safest thing is for them to be owned by root with only read/execute
permission for group/other. See:
http://httpd.apache.org/docs-2.0/misc/security_tips.html#serverroot
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] user/group setup for files in document and cgi dirs
Posted by Luis Gallegos <lg...@todo1.com>.
You wrote:
Should those files be run as nobody.nobody also ?
The files in the cgi-bin directory can be from any owner, but it is
better that they be from nobody.
Thee only thing these files need to execute is execution permissions. To
acomplish this for a cgi file, execute:
chmod 755 Your-cgi-file
Luis
On Fri, 2003-11-14 at 11:52, M.D. DeWar wrote:
> Hello
> I think I may have asked this before but don't recall and not sure if it was
> on this list.
> It says to run the apache daemon as nobody user and a nobody group.
> That is done.
>
> My questions concern the files in the cgi-bin and the document root.
>
> Should those files be run as nobody.nobody also ?
> Or do they need to be root.wheel (I don't think so but being a newbie I am
> not sure.) or some other user group ?
> I have some programs I installed and the user group does not exsist and they
> seem to run. So kinda confused.
>
> Thanks
> Mark
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org