Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-22-2006, 05:59 PM
|
#1
|
LQ Newbie
Registered: Oct 2005
Location: Netherlands
Distribution: Deb'-ian
Posts: 15
Rep:
|
Process Owner Questions
I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.
The server runs as the user 'server' . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?
My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.
Thanks in advance!
|
|
|
11-22-2006, 07:05 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Lawrentium
I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.
The server runs as the user 'server' . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?
|
it's best to run your daemons as non-root users whenever possible... also, it's even better to have separate non-root users for each daemon... this way if an attacker finds, for example, a code-execution vulnerability on one of the daemons, he won't be able to affect the other daemons (without further cracking)...
Quote:
My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.
|
daemon programs will usually come with a configuration file in which you can specify the user you want the program to run as... the way it usually goes is like: program is executed as root; program does whatever it needs to do with the root privilages; program drops root privilages and switches ownership to whatever non-root user you specified...
Last edited by win32sux; 11-22-2006 at 07:15 PM.
|
|
|
11-22-2006, 11:20 PM
|
#3
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by Lawrentium
My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right?
|
Could you post the relevant lines from your ps output (ps aux | grep httpd)?
It's normal for Apache to have one process running as root at all times. This is the master process which handles things like binding to port 80 (which requires root privileges). It then forks off a number of child processes that handle the actual connections and process the http requests. These child processes are usually owned by a non-root user such as 'apache' or 'nobody' (technically having a dedicated apache user is better). This configuration *is* secure and any type of overflow will occur with the permissions of the limited nobody/apache account rather than root. I believe you can run Apache completely non-root but it can't bind port 80, so you'd need to modify the port to something >1023.
|
|
|
All times are GMT -5. The time now is 02:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|