Apache nobody:nobody security risk?

[stevenc317]

Evening guys,

Being that I am new to Apache (switching from Solaris/Zeus) I have picked up a few books on how it operates. Currently I am reading "Preventing Web Attacks with Apache", on Chapter 2, pg 30 it mentions that you should setup a specific user and group to run Apache and NOT to use nobody:nobody.

"The 'nobody' userid and group that comes default on UNIX variants should not be used to run the web server. The 'nobody' account was originally introduced as a means to map the 'root' account over NFS. Due to the underlying association between the 'nobody' and 'root' accounts, it is best to create new accounts for the sole purpose of running the web server"​

Looking at my '/usr/local/apache/conf/httpd.conf' file I notice that cPanel uses nobody for both group and user:

User nobody
Group nobody

Should I create a new group and change the httpd.conf file? What do you guys at cPanel think (I am new here, and trust your judgment)? Could this be an option in WHM (or maybe it is and I missed it) to choose the user/group & password for apache to run under.

 

[stevenc317]

anyone have any thoughts on this?

I did more research and found:

http://www.securityfocus.com/infocus/1694

"By default, Apache processes run with privileges of user nobody (except the main process, which runs with root privileges) and GID of group nogroup. This might pose a significant security threat. In case of successful break-in, the intruder can obtain access to all other processes that run under the same UID/GID. Hence, the optimum solution is to run Apache under the UID/GID of a unique regular user/group, dedicated to that software. "​

---
Apache Security, By Ivan Ristic, Page 26

"Upon installation, Apache runs as a user 'nobody'. While this is convenient ... it is a good idea to create a separate account for each different task. The idea behind this is that if attackers break into the server through the web server, they will get the privileges of the web server, not root."​

Basically the only sites saying to use nobody, where how-to that just spoke of how to setup Apache and that 'nobody' is a default. I have yet to find a security related article stating it is a good reason.

I would really like to hear back from cPanel regarding this.

 

[d_t]

That article is a little bit old (6 years ago). Latest cPanel versions let you choose between making a more secure server and a rapid one. For first type, you can choose SuExec + SuPHP or FCGI. In this case, all scripts, including PHP, will run as user. For the rapid one, PHP is compiled as module (mod_php) and run as nobody. Security is provided with open_basedir that restrict access to user files, disabling some dangerous functions from php.ini, mod_security, etc.

See this link:
http://www.cpanel.net/support/docs/ea/ea3/ea3php_php_requests.html

 

[stevenc317]

d_t,

Thanks for pointing me to this article it has some good information in it. That said for the post part I do not use PHP so the information (while informative) isn't 100% relevant to my usages as I only use perl.