LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2006, 05:59 PM   #1
Lawrentium
LQ Newbie
 
Registered: Oct 2005
Location: Netherlands
Distribution: Deb'-ian
Posts: 15

Rep: Reputation: 0
Question Process Owner Questions


I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.

The server runs as the user 'server' . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?

My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.

Thanks in advance!
 
Old 11-22-2006, 07:05 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Lawrentium
I've been working with Linux for a few months now. I feel comfortable enough now to setup a small file and web server now for my local network, but I still have some safety related questions.

The server runs as the user 'server' . My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right? The same questions goes for Samba and VSFTPD. Both are in a chroot jail in the 'server' home dir. Is it safe to leave these running as root or should I also run them as another user?
it's best to run your daemons as non-root users whenever possible... also, it's even better to have separate non-root users for each daemon... this way if an attacker finds, for example, a code-execution vulnerability on one of the daemons, he won't be able to affect the other daemons (without further cracking)...

Quote:
My final question is how do I change the owner of a process? I've searched all over the internet (at least that's how I feel by now) but I haven't been able to find the answer.
daemon programs will usually come with a configuration file in which you can specify the user you want the program to run as... the way it usually goes is like: program is executed as root; program does whatever it needs to do with the root privilages; program drops root privilages and switches ownership to whatever non-root user you specified...

Last edited by win32sux; 11-22-2006 at 07:15 PM.
 
Old 11-22-2006, 11:20 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Lawrentium
My question is, should, for example, Apache run as this user? Right now Apache is running as root, which can be a potentially dangerous as far as I know, right?
Could you post the relevant lines from your ps output (ps aux | grep httpd)?

It's normal for Apache to have one process running as root at all times. This is the master process which handles things like binding to port 80 (which requires root privileges). It then forks off a number of child processes that handle the actual connections and process the http requests. These child processes are usually owned by a non-root user such as 'apache' or 'nobody' (technically having a dedicated apache user is better). This configuration *is* secure and any type of overflow will occur with the permissions of the limited nobody/apache account rather than root. I believe you can run Apache completely non-root but it can't bind port 80, so you'd need to modify the port to something >1023.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to determine who the process' owner* is? balteo Linux - General 3 04-20-2013 06:40 AM
[Apahce] How to change process owner for Apache? JockVSJock Linux - Security 3 11-21-2006 05:05 AM
a questions about starting process fetsh Linux - Newbie 2 06-03-2005 08:42 PM
kernel build process on SuSE 9 questions. Pcghost Linux - Distributions 9 12-05-2003 05:49 PM
apache, process owner, and rsync/ssh question Kruel Linux - Networking 0 03-01-2002 01:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration