Jailing your Web users

IBM Home

Products

Consulting

Industries

News

About IBM

IBM developerWorks : Security : Education - Tutorials

Creating a new UID/GID for the httpd daemon page 4 of 13

Next, if you have not already done so, create a unique user and group ID to run the server daemon under. As explained in Never run the daemon as root, you should never run this service as root. In the case of a chrooted environment, avoid using a user or group ID that already exists on the system (for example, nobody) as this allows a service to access the resources of any other service running under the same ID, which totally defeats the purpose of the chroot jail.

The example shown creates the user www, and the group www, both with an ID of 80. Note also that the user is assigned the special shell /bin/false, meaning no one can login to the system by using this ID.


[root@thor bin]# useradd -c "Apache Server" -u 80 -s /bin/false 
	-r -d /home/httpd 
www 2>/dev/null ||:

For an explanation of the options used in the above command, type man useradd.

Privacy		Legal		Contact