[Techtalk] Web Server User
Carla Schroder
carla at bratgrrl.com
Sat Oct 15 11:03:20 EST 2005
On Friday 14 October 2005 4:56 pm, Raquel Rice wrote:
> Is there any reason that the user which Apache runs as
> (www-data/nobody) has a shell available to it? I'm trying to get
> rid of some possible exploit areas.
'nobody' should not have a shell, change it to /bin/false.
From man passwd:
" The command interpreter field provides the name of the user's
command
language interpreter, or the name of the initial program to execute.
Login uses this information to set the value of the SHELL environmental
variable. If this field is empty, it defaults to the value /bin/sh."
I like to create a unique user for each service, rather than sharing 'nobody'.
That way if one of them is compromised, the damage is limited.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
http://www.tuxcomputing.com
check out my new book, the "Linux Cookbook", the ultimate Linux user's
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
this message brought to you
by Libranet 3 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Techtalk
mailing list