LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Process Owner Questions (https://www.linuxquestions.org/questions/linux-security-4/process-owner-questions-504031/)

Lawrentium 11-22-2006 04:59 PM
Process Owner Questions
 
I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.

The server runs as the user 'server' ;) . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?

My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.

Thanks in advance!

win32sux 11-22-2006 06:05 PM
Quote:
Originally Posted by Lawrentium
I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.

The server runs as the user 'server' ;) . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?
it's best to run your daemons as non-root users whenever possible... also, it's even better to have separate non-root users for each daemon... this way if an attacker finds, for example, a code-execution vulnerability on one of the daemons, he won't be able to affect the other daemons (without further cracking)...

Quote:
My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.
daemon programs will usually come with a configuration file in which you can specify the user you want the program to run as... the way it usually goes is like: program is executed as root; program does whatever it needs to do with the root privilages; program drops root privilages and switches ownership to whatever non-root user you specified...

Capt_Caveman 11-22-2006 10:20 PM
Quote:
Originally Posted by Lawrentium
My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right?
Could you post the relevant lines from your ps output (ps aux | grep httpd)?

It's normal for Apache to have one process running as root at all times. This is the master process which handles things like binding to port 80 (which requires root privileges). It then forks off a number of child processes that handle the actual connections and process the http requests. These child processes are usually owned by a non-root user such as 'apache' or 'nobody' (technically having a dedicated apache user is better). This configuration *is* secure and any type of overflow will occur with the permissions of the limited nobody/apache account rather than root. I believe you can run Apache completely non-root but it can't bind port 80, so you'd need to modify the port to something >1023.


All times are GMT -5. The time now is 02:09 AM.