On Sat, 2004-07-10 at 15:04, Dave Pawson wrote: > What about running tomcat or apache? > Any guidelines on creating users/groups for such as that? > > regards DaveP The typical apache install from the rpms I think defaults to using the user apache. If you install the sources from the web site I believe they use the user nobody by default. This is an option you can set in the httpd.conf file. Which ever user you use should NOT have a login shell. The idea is that this is an unprivileged user so on the off chance that someone finds and uses a flaw to gain shell access to the server they would be limited in what they could do. They may be able to use that access to employ yet another exploit to gain root access but it makes it that much more difficult. I have not played much with tomcat. Used it a little with opennms I think but nothing very serious. The same ideas should apply, run them with the fewest privileges possible to get the job done. And where possible leave an audit trail. (that is what forcing someone to login as a user account and then suing or using sudo will do for you.) I also recommend you study any security documentation for each of those packages provided by the developers. They will know much better than I how to secure their packages. Good security starts with a healthy dose or two or paranoia and suspicion regarding everything! And remember the two most likely sources of compromise is poor physical security and people you trust with access to the system. -- Scot L. Harris webid@xxxxxxxxxx You can get everything in life you want, if you will help enough other people get what they want.
