[Techtalk] Web Server User

Carla Schroder carla at bratgrrl.com
Sat Oct 15 11:03:20 EST 2005


On Friday 14 October 2005 4:56 pm, Raquel Rice wrote:
> Is there any reason that the user which Apache runs as
> (www-data/nobody) has a shell available to it?  I'm trying to get
> rid of some possible exploit areas.

'nobody' should not have a shell, change it to /bin/false. 

From man passwd:

"       The command interpreter field provides the name of the  user's  
command
       language  interpreter,  or  the name of the initial program to execute.
       Login uses this information to set the value of the SHELL environmental
       variable.  If this field is empty, it defaults to the value /bin/sh."

I like to create a unique user for each service, rather than sharing 'nobody'. 
That way if one of them is compromised, the damage is limited.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
http://www.tuxcomputing.com
check out my new book, the "Linux Cookbook", the ultimate Linux user's 
and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
this message brought to you
by Libranet 3 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the Techtalk mailing list