Apache user?

[Auke Kok]

Jerry Lundström wrote:

> Jon South wrote:
>
>> Talking to a friend of mine, chipux, who's a rather avid apache 
>> user/developer convinced me to inquire if anyone is against adding an 
>> apache user to the apache modules. I dont see an issue with that, and 
>> would probably help with overall security since many other things 
>> might be running as the user 'nobody' as well.
>>
>> I dont know if anyone would really be in opposition of this, but I 
>> thought I'd ask before trying any changes to the apache modules. If 
>> nothing else, perhaps we could make it optional? 
>

on the personal opinion side: I think everyone setting up an apache 
should edit the .conf carefully and choose a proper uid for its daemons. 
having a specific uid for apache turns out to be beneficial but who says 
it needs to be 'xxx' and not 'yyy'

that said it would be wise to check what FHS/LSB have to say about UID's 
for www daemons, please bear in mind that there is also a httpsd process 
that will need accordingly to be adjusted, so you're talking about 2 
used id's here.

anyway, before you turn up a mess, here's a brief list of possibilities: 
www, w3, http, httpd, apache, web, https, httpsd.... the list of 
possible choices is endless... nobody isn't all that bad folks - 
especially for defaults.

PS I don't see 'many' other processes running as nobody actually, are 
there actually modules that consistently use the uid 'nobody' ?

sofar