From: Joe Orton Date: Wed, 19 Feb 2020 10:52:38 +0000 (+0000) Subject: Warn against using "nobody" for User/Group since it's bad practice. X-Git-Tag: 2.5.0-alpha2-ci-test-only~1639 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd5e57152a406699d91d61508ba0e8e753334888;p=thirdparty%2Fapache%2Fhttpd.git Warn against using "nobody" for User/Group since it's bad practice. Add note on supplementary groups. [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874187 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_unixd.xml b/docs/manual/mod/mod_unixd.xml index 0c9dd6e930b..656f38a1ac9 100644 --- a/docs/manual/mod/mod_unixd.xml +++ b/docs/manual/mod/mod_unixd.xml @@ -61,13 +61,16 @@ requests

It is recommended that you set up a new group specifically for - running the server. Some admins use user nobody, - but this is not always possible or desirable.

+ running the server. If the configured User + is a member of any supplementary groups, the process will also + become a member of these groups.

Security

Don't set Group (or User) to root unless - you know exactly what you are doing, and what the dangers are.

+ you know exactly what you are doing, and what the dangers are. + It is not recommended to use the group nobody, + which is not intended for use by long-running daemons.

 @@ -106,14 +109,14 @@ requests outside world, and similarly, the user should not be able to execute code that is not meant for HTTP requests. It is recommended that you set up a new user and group specifically for - running the server. Some admins use user nobody, but - this is not always desirable, since the nobody user - can have other uses on the system.

+ running the server.

Security

Don't set User (or Group) to root unless - you know exactly what you are doing, and what the dangers are.

+ you know exactly what you are doing, and what the dangers are. + It is not recommended to use the user nobody, + which is not intended for use by long-running daemons.