The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache nobody:nobody security risk?

Discussion in 'EasyApache' started by stevenc317, Feb 11, 2009.

  1. stevenc317

    stevenc317 Well-Known Member

    Joined:
    Jan 27, 2009
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Evening guys,

    Being that I am new to Apache (switching from Solaris/Zeus) I have picked up a few books on how it operates. Currently I am reading "Preventing Web Attacks with Apache", on Chapter 2, pg 30 it mentions that you should setup a specific user and group to run Apache and NOT to use nobody:nobody.

    "The 'nobody' userid and group that comes default on UNIX variants should not be used to run the web server. The 'nobody' account was originally introduced as a means to map the 'root' account over NFS. Due to the underlying association between the 'nobody' and 'root' accounts, it is best to create new accounts for the sole purpose of running the web server"

    Looking at my '/usr/local/apache/conf/httpd.conf' file I notice that cPanel uses nobody for both group and user:

    User nobody
    Group nobody

    Should I create a new group and change the httpd.conf file? What do you guys at cPanel think (I am new here, and trust your judgment)? Could this be an option in WHM (or maybe it is and I missed it) to choose the user/group & password for apache to run under.
     
    #1 stevenc317, Feb 11, 2009
    Last edited: Feb 12, 2009
  2. stevenc317

    stevenc317 Well-Known Member

    Joined:
    Jan 27, 2009
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    anyone have any thoughts on this?

    I did more research and found:

    http://www.securityfocus.com/infocus/1694
    "By default, Apache processes run with privileges of user nobody (except the main process, which runs with root privileges) and GID of group nogroup. This might pose a significant security threat. In case of successful break-in, the intruder can obtain access to all other processes that run under the same UID/GID. Hence, the optimum solution is to run Apache under the UID/GID of a unique regular user/group, dedicated to that software. "​

    ---
    Apache Security, By Ivan Ristic, Page 26
    "Upon installation, Apache runs as a user 'nobody'. While this is convenient ... it is a good idea to create a separate account for each different task. The idea behind this is that if attackers break into the server through the web server, they will get the privileges of the web server, not root."​

    Basically the only sites saying to use nobody, where how-to that just spoke of how to setup Apache and that 'nobody' is a default. I have yet to find a security related article stating it is a good reason.

    I would really like to hear back from cPanel regarding this.
     
  3. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    That article is a little bit old (6 years ago). Latest cPanel versions let you choose between making a more secure server and a rapid one. For first type, you can choose SuExec + SuPHP or FCGI. In this case, all scripts, including PHP, will run as user. For the rapid one, PHP is compiled as module (mod_php) and run as nobody. Security is provided with open_basedir that restrict access to user files, disabling some dangerous functions from php.ini, mod_security, etc.

    See this link:
    http://www.cpanel.net/support/docs/ea/ea3/ea3php_php_requests.html
     
  4. stevenc317

    stevenc317 Well-Known Member

    Joined:
    Jan 27, 2009
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    d_t,

    Thanks for pointing me to this article it has some good information in it. That said for the post part I do not use PHP so the information (while informative) isn't 100% relevant to my usages as I only use perl.
     
    #4 stevenc317, Feb 13, 2009
    Last edited: Feb 13, 2009
Loading...

Share This Page