i just saw that my daemon runs under root, and that aint good.
[root@FTP ~]# ps auxw|grep mysqld
root 9515 0.0 0.0 3940 608 pts/5 R+ 12:06 0:00 grep mysqld
i usually don't have mysqld autostart, i do that manually, well so far anyways.
so when i start it using: service mysqld start
it will run under root, can somehow i set it to run under another user and whats the best user for it?
'nobody' maybe?
(got the same problem with httpd too)
mysql and the user its runs under
The initial daemons need to be run under root, especially in the case of Apache. The reason Apache specifically needs to start as root is because it has to bind to a low port (ports 1024 and less are low ports) which require root level authority. However, this isn't all that bad because any time a new connection request is made a child process is spawned and run under a user with less than root authority. So when you do a process list and grep for all of the Apache processes you should see one running under root and the rest running under another ID:
Notice the parent process for all fo the children is the one running as root.
Code: Select all
$ ps -ef | grep httpd
root 2499 1 0 Dec08 ? 00:00:01 /usr/sbin/httpd
apache 24070 2499 0 Dec10 ? 00:02:50 /usr/sbin/httpd
apache 24071 2499 0 Dec10 ? 00:02:41 /usr/sbin/httpd
apache 24072 2499 0 Dec10 ? 00:02:59 /usr/sbin/httpd
apache 24073 2499 0 Dec10 ? 00:02:39 /usr/sbin/httpd
apache 24074 2499 0 Dec10 ? 00:02:47 /usr/sbin/httpd
apache 24075 2499 0 Dec10 ? 00:03:10 /usr/sbin/httpd
apache 24076 2499 0 Dec10 ? 00:02:40 /usr/sbin/httpd
apache 24077 2499 0 Dec10 ? 00:03:00 /usr/sbin/httpd
apache 4711 2499 0 Dec10 ? 00:02:38 /usr/sbin/httpd
apache 4760 2499 0 Dec10 ? 00:02:27 /usr/sbin/httpd
apache 4817 2499 0 Dec10 ? 00:02:40 /usr/sbin/httpd
apache 4898 2499 0 Dec10 ? 00:02:41 /usr/sbin/httpd
apache 11193 2499 0 Dec10 ? 00:02:17 /usr/sbin/httpd
apache 16298 2499 0 Dec10 ? 00:01:53 /usr/sbin/httpd
apache 25532 2499 0 Dec10 ? 00:01:33 /usr/sbin/httpd
apache 23906 2499 0 07:11 ? 00:00:00 /usr/sbin/httpd
apache 23907 2499 0 07:11 ? 00:00:01 /usr/sbin/httpd
apache 23909 2499 0 07:11 ? 00:00:00 /usr/sbin/httpd
apache 23910 2499 0 07:11 ? 00:00:00 /usr/sbin/httpd
apache 23911 2499 0 07:11 ? 00:00:00 /usr/sbin/httpd
voidmain 24135 23973 0 07:16 pts/0 00:00:00 grep httpd
oh, hehe 
I wasnt smart enough to do 'ps' when i had made a connection to it, lol
well i do see the same as you, it suns the new processes under 'apache', then i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
I have made this already in my testing and it works, but i havent found any data telling me that this is a good thing or not.
I wasnt smart enough to do 'ps' when i had made a connection to it, lolwell i do see the same as you, it suns the new processes under 'apache', then i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
I have made this already in my testing and it works, but i havent found any data telling me that this is a good thing or not.
Absolutely not. That's the absolute worst thing you can do for security. The funny part about this is I have seen tutorials that tell you to do just that. I have to send the authors of such tutorials messages ripping them a new one when I see it.Basher52 wrote:i got a follow up question, to set maximum protection against hacking etc unless using .htaccess and other things, should/could i 'chown' all files and folder to the group/user 'apache'.
Think about what happens if someone were to exploit a buffer overflow in your Apache daemon and gain a shell. Or even easier, exploit a vulnerability in one of your many PHP or any other CGI script. What UserID will this shell be running under? That's right, the user "apache". Now, if you are logged on as the user "apache" what files and directories can you write to and what files can't you write to? Obviously anything owned by the user "apache" is fair game and expect a defacing right off the bat, if you're lucky that is. So believe it or not it is *most* secure if the directories/files are owned by root and only have read permission wherever possible. Give the minimum amount of permissions that you possibly can.
To tell you the truth I usually set the ownership to my personal local user account (e.g. voidmain) on directories that I personally want to work. That way I can log on as user voidmain and make any changes necessary to files in my web directories and not have to switch user to root, AND the apache user doesn't have permission to write/change anything. That's probably the optimal way to do it.
So most directories are set owner:group voidmain:voidmain and rwxr-xr-x and most files are voidmain:voidmain rw-r--r--. In this case someone would have to either get access to my local "voidmain" account or "root" before anything could be changed. I really prefer to set my machines up so I don't have to become root for normal development/web type stuff.
thanks for clearing this up.Re: mysql and the user its runs under
OK, now 13 years later I'm here again, now with SELinux in Enforcing. I used to just turn SELinux off or make it permissive but now I'm convinced to use it and it makes my b*tt hurt a bit 
I need to set a website up for my sis and using Wordpress for that.
I found a super YT-vid about SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4 and I set it as it should be and it seems to work.
Now the bad part of Wordpress is that it can't download updates through anything else than FTP/FTPS, I soooo wish they could add SFTP then it should work as it is but it won't so now I'm trying to set a vsftpd up and it seems that it can't see inside that var/www/html/masensts directory so my first guess is SELinux. I can't change the context to anything else than httpd and that is understandable. This might just be a missunderstanding of vsftpd and its settings so.... I can't be sure so I'm still trying to figure this out.
I also before had a big argument with some other Linux 'dudes' that just told me to set the owner to be Apache:Apache. But I first told them that I know a Linux dude that knows everything about Linux, namely 'Voidmain' (no name told to them tho) that I should NEVER EVER do that and they just asked me to contact you to tell you that you're wrong but I won't do it. Is this issue still the same? that I should never ever set the owner to Apache? For me it sure sounds like it as you described it before.
Questions to summon up:
1st, owner of web files, still never ever Apache? (I'm still not doing that until YOU(Voidmain) and no one else than you, tells me otherwise)
2nd, how does the web hosting services handle this with httpd-files and ftp into it? do they let httpd look inside the home dir of the user or the other way around? I want this to be as easy as possible on my test server but also as close to the hosting server that it will landing on later on.
I'm also gonna try all this again with permissive and see if it works and then later do the 'audit2allow' and see if the error really is in SELinux cos I'm starting to doubt it now....
I need to set a website up for my sis and using Wordpress for that.
I found a super YT-vid about SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4 and I set it as it should be and it seems to work.
Now the bad part of Wordpress is that it can't download updates through anything else than FTP/FTPS, I soooo wish they could add SFTP then it should work as it is but it won't so now I'm trying to set a vsftpd up and it seems that it can't see inside that var/www/html/masensts directory so my first guess is SELinux. I can't change the context to anything else than httpd and that is understandable. This might just be a missunderstanding of vsftpd and its settings so.... I can't be sure so I'm still trying to figure this out.
I also before had a big argument with some other Linux 'dudes' that just told me to set the owner to be Apache:Apache. But I first told them that I know a Linux dude that knows everything about Linux, namely 'Voidmain' (no name told to them tho) that I should NEVER EVER do that and they just asked me to contact you to tell you that you're wrong but I won't do it. Is this issue still the same? that I should never ever set the owner to Apache? For me it sure sounds like it as you described it before.
Questions to summon up:
1st, owner of web files, still never ever Apache? (I'm still not doing that until YOU(Voidmain) and no one else than you, tells me otherwise)
2nd, how does the web hosting services handle this with httpd-files and ftp into it? do they let httpd look inside the home dir of the user or the other way around? I want this to be as easy as possible on my test server but also as close to the hosting server that it will landing on later on.
I'm also gonna try all this again with permissive and see if it works and then later do the 'audit2allow' and see if the error really is in SELinux cos I'm starting to doubt it now....