[ale] Apache/webhosting user/group security/config

[Kenneth W Cochran]

Hello:

I'm trying to set up a webhosting server and have some questions
about "properly secured" Apache configuration.  I've been
digging through both books (Toxen, Garfinkel/Spafford, etc.) &
security/apache-related websites & so far, cannot find answers
to my "situation."

Background/current configuration:

Web content is to be in its own filesystem, outside of any of the
"system" directories (for example, outside of /usr and /var).

In this installation, Apache (1.3.20) by default operates
httpd as user/group "nobody/nogroup" and if I run apache+ssl,
it runs httpd as user/group "nobody/nobody." (Question:  Are
these "sane?")

I need & plan to enable suEXEC & need to make sure that is
properly done.  (For examples, what should I use for suEXEC's
document-root directory?  And what other suEXEC configuration
options should I consider?)

Here are some things with which I'm having misgivings:

I'm being asked to create a user & group of "www" and to run
httpd as this user & group.  (Currently, there is no user or
group "www.")

Additionally, I'm being asked to add "www" to the allowed/invited
groups of a hosted user (in /etc/groups).

I've tried to explain that these are *very* bad ideas/practices
but so far, I haven't been able to adequately explain that to
the requesting parties.

Can someone help me with a "good explanation" of why these
are Bad Ideas (if indeed, they are bad, of course)?  Citable
sources would be Most Appreciated, too.  :)

Many thanks,

-kc
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.