Bug 2098

Summary: user/group apache runs as is " nobody "
Product: [Retired] Red Hat Linux Reporter: Jeremiah Johnson <jjohnson>
Component: apacheAssignee: Cristian Gafton <gafton>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-04-10 02:37:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremiah Johnson 1999-04-09 20:35:20 UTC 
In the apache documentation they suggest for running apache
as a non-root user, but they also suggest making a user
specifically for apache and not using " nobody " or " nouser
".  Is it possible that we could distribute apache
configured to run as " httpd " or somthing similar?
Comment 1 Cristian Gafton 1999-04-10 02:37:59 UTC 
This will break previous installations of apache that might already
count on apache running as nobody. Under normal conitions, nobody does
not own anything on the file system anyway.
Comment 2 rossigee 1999-12-21 11:45:59 UTC 
I disagree with this resolution. I also believe that apache should run with it's
own user. After all, 'gdm' and 'xfs' and other daemons do.

For example, I have a secret key file that is shared between an Apache DSO
(mod_jserv.so) and a seperate Java process, running a processing engine. To
ensure secure communications between the two, they share a common key file. I
have the permissions set to 600, owned by the user 'apache'. If this was owned
by 'nobody', I would consider this a security hazard.