[plug] Simple Web questions - Debian Linux
Christian
christian at global.net.au
Sun Jun 13 11:26:58 WST 1999
Trevor Phillips didn't write:
> > 3. If the answer to 2 is "nobody:nogroup", isn't that a security risk?
> > 4. Unless the answer is "www-data", why does Debian have "www-data"?
There are probably several answers - here's mine. :)
It's not uncommon for people to run various (usually non-standard)
services (which don't require privileges or release those privileges
early, ie after binding to a privileged port) as nobody:nogroup. This
is, of course, better than running them as root however it opens up the
potential for a security failure in one of those services to affect the
others. By having a user and group 'www-data', Debian isolates the
damage that could result from a poorly written CGI being subverted and
deleting/over-writing other accessible files on the system.
I suspect this is part of the reason (if not the majority of it) why
Debian sets it up this way. Others may be able to suggest other
advantages to this approach also.
Regards,
Christian.
--
If the grass is greener on other side of fence, consider what may be
fertilizing it.
More information about the plug
mailing list