nobody == good!

Yes, it is to your advantage to continute running Apache as the prividge-less nobody (some systems use the login 'apache', but with the same basic idea).

That way, in the rare event that your web server should by any chance become compromised, the attacker won't be able to access anything else on the system.

If you are going to be using multi-user hosting, then suEXEC is the way to go. That will allow CGI's to run with the permissions of their owner, not the permissions of Apache. This will allow users to keep private files (password lists, billing information, etc.) chmodded 700 (Owner - Full access, Everyone else - No access).

On an interesting side note, however, suEXEC does not affect PHP files running under mod_php.

Hope that's not too confusing!

[Edit] - I typed this as a reply to the thread about httpd/nobody, yet for some odd reason vBulletin put this guy here. Maybe I just screwed up - it's late. nobody == good!

 

 

 

 

Top