WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Apache secure, flexable config  (Read 4852 times)

Offline softwaregurl

  • Suspended
  • Full Member
  • ***
  • Posts: 109
Apache secure, flexable config
« on: December 28, 2008, 06:42:47 PM »
It is recommended that Apache run as an unprivileged user.  ie: started as root then switch to the user(s) in the conf file(s).  My thinking is a second user in addition to tc that has no sudo or root privileges and can only execute the essentials like PERL or PHP.  Not hard.  So what is the best way to implement this.  An executable triggered manually on the first load?  It would need to prompt for a password and add files to the backup.  May also need to modify file(s). 

second, I will want to enable things like CGI.  For flexability am thinking 1 additional conf file for each with documentation on adding 1 line to the main conf file and stressing adding that to the backup.  Or maybe an executable triggered once because the user Apache is running as would need to be able to run what is being added so that file also has to be changed.  The file name apache-CGI-patch.tcel with a .dep that grabs the full version of perl, for instance.

Does this sound like a lot more then most people would need?  It is what I need, but it wouldn't take much to do 2 versions.  This and what i have submitted that runs as user tc with the site in backup or persistent home.  But if I am developing the more complex version anyway, why would I not make it available to everyone?

A lot of semi-cryptic thinking out loud.  What crosses your mind?
Old wounds that have never healed need to be re-exposed before the cure can be applied.  The cure must be available before the wound is re-exposed.

Offline mikshaw

  • Sr. Member
  • ****
  • Posts: 368
Re: Apache secure, flexable config
« Reply #1 on: December 29, 2008, 03:42:17 AM »
I don't think there would need to be much work involved as far as switching users is concerned.  Most web servers will switch users for you with a single setting in the config file.  TC has user "nobody" and group "nogroup" for uses such as this.  If you really want to secure a web server, using a chroot jail in addition to a limited user is safer.  Personally I haven't gone that far, since my server doesn't allow connections beyond the local network (currently 2 machines).

I have no idea what you are planning with CGI =o)

Offline tobiaus

  • Suspended
  • Hero Member
  • *****
  • Posts: 599
Re: Apache secure, flexable config
« Reply #2 on: December 29, 2008, 09:14:12 AM »
it sounds great. it would be fantastic if there was an apache extension you could download and use with good secure settings. personally i never run a server because i never learned how to configure one.

similarly, it would be nice to have easy tips for securing tc. there is a firewall, but i haven't heard anyone recommend the documentation (or the use of the firewall,) and there is more than one way to set the passwords in tinycore, but i've always heard people recommend the way that is as complicated as possible. what, we're not supposed to use the passwd command?