Given the need to have all your web related files open to the world, why do shared servers run as nobody instead of as the specific user for a domain?

Any insight here will help.

Thanks,

-t

Perhaps the better question here is how many of you run your web server processes as nobody vs how many run with suEXEC to run your cgi as the file owner?

Are there other options? How do you do it on your servers?

-t

Assuming nobody is not an actual account with any real privileges, you want to run Apache as nobody so that the webserver doesn't have the ability to access/modify any files you don't want it to. <br>
Also, using suEXEC is good in certain cases because it can allow the webserver to access certain files that it otherwise couldn't. e.g. accessing a php/python/perl/etc.. password file for your database.

Originally posted by cirrusrex
Assuming nobody is not an actual account with any real privileges, you want to run Apache as nobody so that the webserver doesn't have the ability to access/modify any files you don't want it to. [clip]

Therein lies the problem.

On a virtual server, in order to let nobody serve the files in my directory, I have to leave my directories and files open to world read access, thus making my site insecure.

If the server ran only as me in my virtual hosting account, I could lock down my files and protect my site. As it is, anyone on my shared server can read my files simply using a cgi script in their web server, since nobody needs to have read access.

-t

I understand your problem, and we've been discussing permissions and ownership, groups, etc. and a means to deny user's from doing that. That is a drawback. Also, one advantage I can think of (the only one I can think of, actually), (and this is what I think the other person above pretty much said) is that with SuEXEC running as your own account's UID/GID, a poorly coded script or one that opens up any (what would possibly otherwise be a) minor security hole that allows people to do something or pass some dangerous input, would be that the compromised script in question, would wipe out all your site's files and directories, whereas a global user would only have permission to wipe out the files it has permission to, not your entire account.

However, there are still issues with permissions where (as you said), where because of the global user, you find you have to actually open yourself up to not only that same problem with your own scripts (which is possibly not an issue with _your scripts_), but other peoples, or other user's with ill intentions. I definitely suggest everyone be made to use SuEXEC and other such things and if they run a poor script, they are the only site that suffers. Finally, with SuEXEC and scripts running as users' UID/GID's, the server can be controlled better and per account. SuEXEC doesn't have to be enabled on all accounts, just the one's the server wants -- assuming they aren't running some software that would conflict with the CGI wrapper -- in which case, I'd suggest different software. :-)

On a virtual server, in order to let nobody serve the files in my directory, I have to leave my directories and files open to world read access, thus making my site insecure. <br>

Look at it this way... The problem with web security at the moment is that everyone is aware that it is important but nobody wants to deal with it. Everyone, including the users needs to be aware of this. <br>What users need to be aware of is that they should not be putting private stuff in there for all to see. If it is private, change its permissions, encrypt it, if you don't know how ask your hosting provider who can[should be able to] show you how, or better yet don't keep private stuff on the server! . If its a password file for a script find a host who can give you suEXEC.<br>In fact if Apache is running as nobody, you just need to have the users DocumentRoot (usually public_html with virtual hosters) set to world readable. Now please note that name, public_html. Why shouldn't that be readable system wide? You are letting everyone on the internet see it. Remember everyone including the users must be proactive about security.

I don't know if you have found the answer you were looking for, but this link might help:
http://www.w3.org/Security/Faq/wwwsf5.html#Q50

As far as running httpd as nobody, this should be done, without question.
If you value security, then run httpd as nobody.
The short answer, nobody assumes no real privileges.
And if a hacker/cracker is able to exploit the httpd dameon (remote hack), they will then have the problem of pulling off a local exploit. Which, in all reality isn't any tougher than the remote hack...but, a layer of protection non the less.

Peace out.

Lilac Echo
http://www.wbglinks.net