[ale] Apache/webhosting user/group security/config

Transam transam at cavu.com
Wed Sep 19 00:50:54 EDT 2001 

> Hello:

> I'm trying to set up a webhosting server and have some questions
> about "properly secured" Apache configuration.  I've been
> digging through both books (Toxen, Garfinkel/Spafford, etc.) &
> security/apache-related websites & so far, cannot find answers
> to my "situation."

> Background/current configuration:

> Web content is to be in its own filesystem, outside of any of the
> "system" directories (for example, outside of /usr and /var).

The particular file system generally does not matter.  However, if static
content is on its own file system, you can mount it Read/Only for greater
security.  You can increase security even more by making the device
Read/Only.  For that matter, make the root file system and /usr (if
separate) Read/Only -- see my book for how to do this.

> In this installation, Apache (1.3.20) by default operates
> httpd as user/group "nobody/nogroup" and if I run apache+ssl,
> it runs httpd as user/group "nobody/nobody." (Question:  Are
> these "sane?")

NO.  The nobody use and nogroup group are for the use of NFS.  One should
not use the same user or group for different applications if any of them
carries a security risk (as NFS, especially, does).  Similarly, if you
run named (DNS), use the "-u" and "-g" flags to run it as a user and
group separate from Apache and separate from NFS.

> I need & plan to enable suEXEC & need to make sure that is
> properly done.  (For examples, what should I use for suEXEC's
> document-root directory?  And what other suEXEC configuration
> options should I consider?)

suEXEC is for running CGIs.  Often it is a good idea to run CGIs on
a separate machine so that if any of them are breached, the web pages
cannot be altered.  I explain various techniques and reasons in great
detail in the book.  It would take too long to discuss here.

> Here are some things with which I'm having misgivings:

> I'm being asked to create a user & group of "www" and to run
> httpd as this user & group.  (Currently, there is no user or
> group "www.")

Creating a user and group of www for Apache is an excellent idea.

> Additionally, I'm being asked to add "www" to the allowed/invited
> groups of a hosted user (in /etc/groups).

I don't know what you mean here.

> I've tried to explain that these are *very* bad ideas/practices
> but so far, I haven't been able to adequately explain that to
> the requesting parties.

> Can someone help me with a "good explanation" of why these
> are Bad Ideas (if indeed, they are bad, of course)?  Citable
> sources would be Most Appreciated, too.  :)

> Many thanks,

> -kc

You're welcome,

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list