I have compiled different softwares (apache, postgresql, proftpd, and jboss) and installed then into a single directory (with the --prefix configure option). I have something like that: /opt/apache /opt/proftpd /opt/postgresql /opt/jboss. I run all these services with the same user. I've done that 'cause it's easier for me in term of right management (all services have access to the same data directory). And it's a way for me to "package" all the services I use in a single directory.
To start the services:
- apache: started in root, and I have set the following directives in the config file: "User pol" "Group pol"
- postgresql: started with user "pol"
- proftpd: started in root, and I have set the following directives in the config file: "User pol" "Group pol"
- jboss: started with user "pol"
pol user have a shell. It's useful for maintenance.
- What do you think about this config?
- Should I run all these services with different users?
- What are the security best practices for users/services management?
Thank You !!
Here are some toughts about your question:
Usually a dedicated account with nologin is used for running services.
Maybe you should try to chroot or jail at least the apache daemon to gain extra security.
If your database server is used only locally, you may consider connecting with the socket trought the filesystem and denying network access to it.