Learning as much on Apache right now on a test box, before I deploy it as a webserver to the world.
Anyways, I've noticed that when Apache run that the parent process is Root and the child processes are nobody
Code:
cmmiller@probot:/var/www/htdocs/manual$ ps aux | grep httpd
root 2756 0.0 0.1 12240 252 ? Ss Nov12 0:00 /usr/sbin/httpd
nobody 2761 0.0 0.1 12364 384 ? S Nov12 0:00 /usr/sbin/httpd
nobody 2762 0.0 0.1 12392 388 ? S Nov12 0:00 /usr/sbin/httpd
nobody 2763 0.0 0.1 12348 416 ? S Nov12 0:00 /usr/sbin/httpd
nobody 2764 0.0 0.1 12240 360 ? S Nov12 0:00 /usr/sbin/httpd
nobody 2765 0.0 0.1 12392 372 ? S Nov12 0:00 /usr/sbin/httpd
nobody 2904 0.0 0.1 12392 368 ? S Nov12 0:00 /usr/sbin/httpd
nobody 4402 0.0 0.1 12364 428 ? S Nov13 0:00 /usr/sbin/httpd
cmmiller 13386 0.0 0.2 1676 616 pts/2 S+ 04:33 0:00 grep httpd
This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.
Also under /etc/apache/httpd.conf, Apache is setup with User and Group set to nobody
Code:
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group "#-1" on these systems!
#
User nobody
Group nobody
So I've looked thru the security links on this forum
http://www.linuxquestions.org/questi...threadid=45261
And have found a URL that helps change all of this:
http://www.securityfocus.com/infocus/1694
1. The following commands creates an Apache group and user, but I don't understand all of the flags, can someone please explain?
Code:
pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
2. If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?
thanks