Apache user secondary groups

Hi, I have a question regarding running apache as user apache and group apache and secondary groups.
I saw the thread here about webadmin.php and when I uploaded it I was able to traverse the whole directory structure. I have enabled open_basdir to counter that script but open_basedir can be bypassed I believe.

Now my question, on my server (directadmin) the apache user is a member of the following groups
- root bin daemon sys adm tty disk lp mem kmem wheel mail news uucp man games gopher dip ftp lock nobody users rpm floppy vcsa utmp slocate nscd sshd rpc rpcuser nfsnobody mailnull smmsp pcap xfs named ntp desktop netdump mysql directadmin and all the hosting clients username/groups.

Surely apache only needs to be in the groups apache, and the users (hosting account usernames) groups. Does it need to be in the directadmin group? Does it need to be in any of the first block of groups mentioned? especially wheel as I have secured compiler tools to group wheel and a compromised apache would have access to compilers.

Any security gurus here want to recommend just what groups apache NEEDS to belong to?

 

 

 

 

Top