sprior at geekster.com
Wed Jul 23 14:27:34 PDT 2003
Dagmar d'Surreal wrote:
> Unless you're ignoring some of the many places on the web where the
> Apache team say that the webserver should run as it's own userid and
> groupid, no one but the webserver and the system administrator should be
> able to read these scripts directly once they're in the DocumentRoot and
> have their permissions set. Hint hint. Web pages do not need to be
> mode 444.
You've made me think a little about my setup and how I should clean up my act.
I have apache running as "nobody", an account with no valid login shell.
However my web page directories are owned by httpd.httpd (which does have login
privs) and are world readable so "nobody" can see them. How important is it for
apache to be run as a user with no login shell? If it isn't a big deal, then
I'd be tempted to run apache as user httpd and lock down the directory
structure. The other option is to remove the login shell from user httpd, run
apache as user httpd, and lock down the directory structure granting group privs
to yet another id which can write to those directories.
What option is considered clean these days?
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support