Page 1 of 1

Apache as nobody

Posted: Wed May 09, 2007 9:55 pm
by alex.barylski
The following is a small snippet of the server I currently have setup (Debian ETCH 4.0). It's a self-managed dedciated server which I plan on moving my clients to once setup and secure.

The apache books I just read both suggest running Apache as user 'nobody' which is set in httpd.conf, easy enough, but by default it seems it's running as www-data (exluding the first because it's the parent process?).

Code: Select all

root      5421  0.0  1.1  17036  5696 ?        Ss   21:43   0:00 /usr/sbin/apache2 -k start
www-data  5423  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5424  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5425  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5426  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5427  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
root      5432  0.0  0.1   3432  1004 pts/0    R+   21:44   0:00 ps -aux
I assume I can lookup user 'www-root' and make it basically the same as 'nobody'? However would it not be easier to just change the Apache setting to set each child process to 'nobody'?

I have cataloged all required apache modules and made sure I read up on each to thouroughly understand them. I have removed webmin (which came as default) and have plans on using SFTP. Is there *any* reason I would ever need to run FTPd as root or should it be my normal login as well?

Cheers :)

Posted: Thu May 10, 2007 12:44 am
by alex.barylski
Just to add. Found some articles, it appears as though apache2 (Debian ETCH) changes the way Apache is typically setup, www-data seems to be done for security, so if your mailserver, etc also run as nobody, and Apache is ever comprimised, your mail server doesn't get taken advantage of.

That was kind of confusing...they way my books say one thing and Debian does another :P

Cheers :)