Find a good user name. This user name should be a normal user with the least privileges. Lots of distributions already have a special account for this. Common names include "www", "www-data", "httpd", "nobody" (Caudium on Debian GNU/Linux runs as www-data:www-data by default). We don't recommend "nobody" though; to quote Theo de Raadt:
Change the owner of the files which Caudium needs to write to. These include:
On a Caudium source install the following command should do the job:
# chown -R www-data.www-data logs/ var/ argument_cache/ bgcache/ configurations/ server/*.pem server |
$ ls -l total 32 drwxr-sr-x 6 www-data www-data 4096 Feb 13 23:17 argument_cache drwxr-sr-x 2 www-data www-data 4096 Feb 19 09:27 bgcache drwxr-sr-x 2 www-data www-data 4096 Mar 4 22:28 configurations drwxr-sr-x 4 root staff 4096 Feb 13 23:16 local drwxr-sr-x 7 www-data www-data 4096 Mar 3 11:50 logs drwxr-sr-x 2 root staff 4096 Feb 13 23:16 readme drwxr-sr-x 19 www-data www-data 4096 Feb 19 20:13 server drwxr-sr-x 2 www-data www-data 4096 Mar 3 19:28 var $ id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) |
I will now speak about general security measures you can take if you are very strict about security.
Don't allow users to execute scripts that are part of the server.
![]() | Uniscript is a CGI-like wrapper. It will execute programs as if they were CGI scripts but unlike CGI, it does not require you to put these programs under a specific directory like /cgi-bin/. For example each user can have his or her CGI script in his or her directory. Moreover Caudium can execute them with the uid of the owner. |
Don't use anything you don't need. Remove any modules you don't need in your virtual server.
Global Variables -> Version numbers -> Show Caudium Version Number.
Global Variables -> Version numbers -> Show Pike Version Number.
Turn off any debug options specific to a module. These options are for developers, and they don't have security in mind when they debug output.
Actually, this is security through obscurity and doesn't increase the security of the server. | ||
--Grendel |
Output Caudium's log files to a separate partition. /var is a good choice for that purpose.
If your job relies on your web server security, check the Caudium source.