striker at lunar-linux.org
Wed Apr 21 11:05:30 GMT 2004
Auke Kok wrote:
> on the personal opinion side: I think everyone setting up an apache
> should edit the .conf carefully and choose a proper uid for its daemons.
> having a specific uid for apache turns out to be beneficial but who says
> it needs to be 'xxx' and not 'yyy'
> that said it would be wise to check what FHS/LSB have to say about UID's
> for www daemons, please bear in mind that there is also a httpsd process
> that will need accordingly to be adjusted, so you're talking about 2
> used id's here.
> anyway, before you turn up a mess, here's a brief list of possibilities:
> www, w3, http, httpd, apache, web, https, httpsd.... the list of
> possible choices is endless... nobody isn't all that bad folks -
> especially for defaults.
> PS I don't see 'many' other processes running as nobody actually, are
> there actually modules that consistently use the uid 'nobody' ?
I'll look into what LSB has to say about it, but the common convention
I've seen between distributions is the user and group 'apache'
Why is it we have a seperate daemon for https anyway? Apache can listen
on both 80 and 443 at the same time, why use up more resources to have a
different set a daemons for each port?
Also, I didn't say that there were always many things that run as
nobody, but rather that it's a possibility; each admin runs their
servers a different way...
Another reason I brought this up has to do with a problem that someone
can have if they are selling webspace and have many daemons running as
nobody; a malicious user could do <?php shell_exec("killall -11
<process>"); ?> and kill it if that process is running as the same user
as apache. I just ran a test to confirm this too; I successfully killed
my spamassassin daemon.
The system requirements said "Windows 95 or better"
So I installed Linux.
Microsoft sells you Windows; Linux gives you the house.
Registered Linux User: 332618
More information about the Lunar-dev