apache permissions

Richard Lightman richard at reika.demon.co.uk
Mon Jan 29 11:13:22 PST 2001


Misquoted from Lukas Mol on 2001/01/29 at 18:00 +0000:
> on 29-01-2001 11:13, Richard Lightman wrote:
> 
> > Misquoted from Lukas Mol on 2001/01/28 at 20:36 +0000:
> >> 
> >> 1. Apache has set owner and group id to 1079 for quite some files. Anybody
> >> knows which user/group combo is normally used/intended?
> >> 
> > Do you have groups nogroup & ftp?
> yes and no. I don't run any ftp services.
> 
> > Do you have user ftp, primary group ftp?
> no and no.
> 
Apache contains an ftp proxy module. I do not know if you can miss
out user and group ftp if you are not using the module.

> > Do you have user nobody, uid 65534, primary group nogroup?
> yes, I do have nobody, uid 20, with group nogroup, gid 20.
>  
Under arcane and unlikely circumstances linux can give thoroughly 
undeserving people access as user id 65534. If you want to make your
system 0.0001% more secure, give that user id to nobody.

> > If that does not work, do not install as root.
> If what doesn't work? Do not install what as root? Can you please be a bit
> more elaborate? 
> 
Apache can have problems if it is told to use a user/group id that
is not in /etc/passwd or /etc/group. 'ftp' 'nobody' and 'nogroup' are
the only ones that my notes say are required for apache.

I was going to tell you to read the installation instructions. I have
just looked in my new source tarball, and found that the information
is either not there, or is harder to find than in the older version
I took my installation notes from.

Try installing apache with all of these users and groups available.
If that does not cure the problem, there is a fix that may help:
You will need a user id with write access to everywhere that that
the 'make install' for apache will write to. This includes the apache
source tree. su to that user to run apache's 'make install'. As it
is not running as root it will be able to chown, or chgrp to any group
that thi user is not a member of. That will prevent it installing anything
with silly user/group ID's. If the installation is clean, but apache
creates these id's while running then look for User and Group commands
in apache's configuration files.

> Am I missing something here? I still feel I'm in the dark here, please
> enlighten me ;-)
> 
The first time I installed apache I barely knew what it was for. My
installation script installed a newer version without complaints. I have
never given apache a thorough test. Take a look at htdocs/manual/index.html
in the apache sources. After less than 5 minutes reading you will be more
enlightened than me.

Richard

-- 
Unsubscribe: send email to lfs-apps-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message




More information about the blfs-support mailing list