Tanguy <[EMAIL PROTECTED]> writes:
> I have just installed wwwoffle on a new computer from mandrake rpm
> (wwwoffle-2.7h-2mdk), and I realized that wwwoffle is started by default by
> the root.
>
> Since this is not recommanded, I would like to know if there is a "standard"
> username which may be recommanded to start wwwoffle (deamon for instance ?).
>
> And based on this user what should the permission to be used for the
> /var/spool/wwwoffle directory ? (by default the rpm sets them to :
> rwxr-x--x root:root )
Running WWWOFFLE as root *may* be a security risk, I cannot say for
certain that there are no bugs that make a security risk.
Running it as another user is simple. You need to edit the
wwwoffle.conf configuration file (probably in /etc/wwwoffle.conf or
/etc/wwwoffle/wwwoffle.conf or /var/spool/wwwoffle/wwwoffle.conf but
could be elsewhere). In the StartUp section you need to add an entry
for run-uid and run-gid. When you start WWWOFFLE next time as root it
will change to the specified user.
For example:
StartUp
{
...
run-uid = daemon
run-gid = daemon
...
}
You could chose another user instead of daemon, perhaps www-data or
even create a new user called wwwoffle. It doesn't matter what user
you chose, but making a new user that only has access to the WWWOFFLE
files will reduce the risk of problems.
After making the change you should stop the WWWOFFLE server and change
the ownership of the cached files (normally in /var/spool/wwwoffle) so
they are owned by the same user as listed in the wwwoffle.conf file.
For example:
chown -R daemon /var/spool/wwwoffle
chgrp -R daemon /var/spool/wwwoffle
You also need to make sure that all of the WWWOFFLE configuration
files are readable by the user that you have chosen.
The permissions on the /var/spool/wwwoffle directory should also be
changed so that the user you have chosen has write permission to it
(The chown and chgrp commands I give above will do this anyway).
It would be a good idea if you can report this configuration of
WWWOFFLE as a bug to the person who created the RPM. This will stop
other people having the same problems and encourage good security.
--
Andrew.
----------------------------------------------------------------------
Andrew M. Bishop [EMAIL PROTECTED]
http://www.gedanken.demon.co.uk/
WWWOFFLE users page:
http://www.gedanken.demon.co.uk/wwwoffle/version-2.7/user.html
