From: George C. <ga...@sp...> - 2004-11-07 03:46:28
|
Hi all, On Gentoo, apache runs under as user:group apache:apache instead of nobody:nogroup. The shell for apache in /etc/passwd is set to /bin/false. The 'su" command on gentoo does not include the ability to override the "shell", so the shell in the passwd file has to be valid. I built slash using USER=apache GROUP=apache on the make statement, and u=apache g=apache on the install-slashsite command. In order to get slashd to start I had to put a shell on the apache entry in passwd and remove the --shell="/bin/sh" from the Linux su statement in init.d/slash. Any thought on if there could be a security exposure by providing a valid shell to apache? Would it be preferable to create a new "slash" uid:gid and add the apache uid to the slash group so that apache has access to the slash files? Any suggestions on how I should set up the file and task ownership? Thanks, George |
From: Shane <sh...@lo...> - 2004-11-07 14:11:56
|
Does gentoo have a 'valid shells file' ie /etc/shells? As for security if the user that apache is running under has a shell, I doubt it's a problem. If I recall back a few years ago redhat was putting /bin/false or /dev/null into the shell for the nobody account. Which was a slight problem with slash/slashd. I'd google on it if I were you, but that's about it. Shane disclaimer: I've never used Gentoo. On Nov 6, 2004, at 8:52 PM, George Clark wrote: > -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.0000] > -0.2 AWL AWL: Auto-whitelist adjustment > X-Scan-Signature: 2a53a7fc9a909a50ee1db7d84892058a > > > Hi all, > > On Gentoo, apache runs under as user:group apache:apache instead of > nobody:nogroup. The shell for apache in /etc/passwd is set to > /bin/false. The > 'su" command on gentoo does not include the ability to override the > "shell", so > the shell in the passwd file has to be valid. > > I built slash using USER=apache GROUP=apache on the make statement, > and > u=apache g=apache on the install-slashsite command. In order to get > slashd to > start I had to put a shell on the apache entry in passwd and remove the > --shell="/bin/sh" from the Linux su statement in init.d/slash. > > Any thought on if there could be a security exposure by providing a > valid shell > to apache? Would it be preferable to create a new "slash" uid:gid and > add the > apache uid to the slash group so that apache has access to the slash > files? > > Any suggestions on how I should set up the file and task ownership? > > Thanks, > George > > > ------------------------------------------------------- > This SF.Net email is sponsored by: > Sybase ASE Linux Express Edition - download now for FREE > LinuxWorld Reader's Choice Award Winner for best database on Linux. > http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click > _______________________________________________ > Slashcode-general mailing list > Sla...@li... > https://lists.sourceforge.net/lists/listinfo/slashcode-general > |