Board index Unix Web Servers

User and Group in httpd.conf

User and Group in httpd.conf

Post by Albert F » Thu, 15 Jun 1995 04:00:00



Are there any security risks involved by assigning the name and group to a
actual user who will be maintaining the web server, yet do not have root
priviledges as oppose to "nobody" as the default user?

Eg.

httpd.conf
----------
User  joe
Group webmanager

 
 
 
Top

User and Group in httpd.conf

Post by Victor Parada » Thu, 15 Jun 1995 04:00:00


Hola mundo.


>Are there any security risks involved by assigning the name and group to a
>actual user who will be maintaining the web server, yet do not have root
>priviledges as oppose to "nobody" as the default user?

[example deleted]

Well, a bug or security hole in a script can be used to wipe out
all the files in the server owned by "joe" or in group "webmanager".

Currently, only log files must be owned by "nobody" in NCSA's httpd,
and could be affected by a bug... (it is supposed that version 1.4.1
doesn't allow CGIs to access log files)

If your scripts are secure and well-writen, go ahead...

Bye...   ++Vitoco
--
Lic. Victor A. Parada                  __     __     Universidad Tecnica
Ingenieria Civil en Informatica     o-''))_____\\    Federico Santa Maria,

http://www.inf.utfsm.cl/~vparada/   c_c__/-c____/    +56 32 626364 x431 :-)

 
 
 
Top

User and Group in httpd.conf

Post by Jon Lewi » Fri, 16 Jun 1995 04:00:00



> Are there any security risks involved by assigning the name and group to a
> actual user who will be maintaining the web server, yet do not have root
> priviledges as oppose to "nobody" as the default user?
> httpd.conf
> ----------
> User  joe
> Group webmanager

If user joe has mail or files in his home dir, and someone makes symlinks
to them, and you don't have that hole disabled, anyone can read his files.
Anyone who is allowed to install CGI scripts or can use EXEC CMD includes
basically has (can very easily have) shell access as joe, can trash joe's
files or modify/wipe out all your WWW pages.  Sounds like a potentially
bad idea, to me...unless you have complete trust in all the people who
have user accounts.

------------------------------------------------------------------
 Jon Lewis                      |  Mime attachments are OK

 http://inorganic5.chem.ufl.edu |  unsolicited huge files.
                                |  

 
 
 
Top

1. Apache: User/Group directive in plain httpd.conf and VirtualHost

Hi,

who knows exactly how Apache deals with the User and Group directives
either plain in the httpd.conf and in a VirtualHost subsection? It seems,
the plain version actually changes the user even for accessing direct
documents to be served by the Apache and especially for modules like
mod_php, but when these directives are set in a VirtualHost section, they
only apply to CGI scripts executed via suExec or CGIwrap? Am I right?

Does anybody know why the User is not even set with seteuid for a
VirtualHost? The server instance still could be reused, because seteuid
is reversible. And yet mod_php and mod_perl would be limited to that
user. It should be easy to prevent seteuid back to the real user-id for
such scripting languages.

Thanks
        Michael

2. ksh file: where to find the file

3. HTTPd 1.5 dumps core when httpd.conf has "Group #-1"

4. Gateway 4DX266V: Linux can't see CD drive...

5. Test httpd.conf setup - using variables in httpd.conf

6. Could not allocate transmit buffer descriptor array?

7. Can I define srm.conf, access.conf in httpd.conf ?

8. pty-based scripting program?

9. Group in httpd.conf

10. cannot set up UMASK or groups so that users from one group cannot access other groups

11. redhat-config-httpd doesn't write to httpd.conf

12. how to determine httpd.conf and httpd daemon for my webserver?

13. cern-httpd - proxy-cache - httpd.conf WANTED ???!!!


All times are UTC
Board index