On Sat, 20 Nov 1999, Bill Sneed wrote:
> (1) You've granted "nobody" read rights to the table(s)? Don't forget
> that user "nobody" is default user of Apache -- and perhaps other
> Web servers as well.
This is diverging a little bit, but since it comes up quite a lot, I'll
say it again: It is absolutely insane to grant user "nobody" any table
access rights! It is also a perhaps unfortunate circumstance that the
Apache project just silently sets the default user to user "nobody".
Reasoning: A number of system daemons and other programs use the user
"nobody" when they want to be extremely secure and want to make sure they
don't have access to anything. Granting that user access to anything is
therefore wrong.
If you need your webserver to do all kinds of things on your server,
invent a different username, such as "httpd", and run the webserver as
that. Before you know it, your "nobody" also owns files, directories, suid
programs, if you don't pay attention it might even have catalog update
privileges in PostgreSQL. Then some guy comes along and sends email to
kmem@yourdomain, the MDA wisely switches to nobody as a preventive
measure, and all hell breaks loose once the mail gets into your procmail
filters. Just an example.
--
Peter Eisentraut Sernanders vaeg 10:115
peter_e@gmx.net 75262 Uppsala
http://yi.org/peter-e/ Sweden
