Fix apache groups

F

felosi

Verified User
Joined
Jun 17, 2006
Messages
135
I know I mentioned this before and even emailed support about it but that is the only thing me and my friends find wrong with da is the way it runs apache by apache user and group. A pretty dangerous setup, if someone uploaded a php shell they could write to anything and rise above the home folder.
I wish they would change it to nobody or www-data. The way it is now is dangerous and insecure.
I don't know if anyone agrees with me on this or not but the security minded people I know do. The apache user has way too many privileges to be ran this way.
 
YOu can always change it by modifying the group and user variables in httpd.conf
 
done tried, my site worked ok but these joomla sites and galleries went all to hell. I guess cause they was originally installed with the apache group
 
mod_security is best option in this case. You can customize mod_security rules which will allow you to set rules on commands ran through browser or shell scripts executed with scripts under ownership of nobody.

Joomla and and php-nuke are high risk applications as this applications create additional web pages under the ownership of nobody and they need respective folders with permission of 777 to create scripts under ownership of nobody.

Only way to sort this security risk is mod_security as any other way would stop joomla and php-nuke.
 
no thats what Im saying on directadmin it dont run nothing on apache as nobody, I had to add my own rules to stop some shells but there are more out there and on directadmin apache they can upload or write to any folder you have.

If it did run apache as nobody then the shells wouldnt have so many permissions.

I use all the rules from gotroot.com and a few of my own and you cant stop them all. If apache was run as nobody uit would fix the problem
 
DA has never set file ownership to apache on any of my servers only the group ownership so it would need group write permissions for people to be able to write to many folders that are not their own.
 
You must log in or register to reply here.
Back
Top