User account for running websites on linux

I have seen many blogs and articles recommend me that do not run the website on Linux under root user.

Should I create different account for running website? How about backends like MySql like database? Can they run as a root but still I could run the website as a not root user?

Will Linux allow me to bind a localhost port on different account?

I use Ubuntu 10.04 x64 server edition.

Solution 1:

The least privileges necessary to accomplish the task should be used in all cases.

Apache starts as root but spawns off children as a different user. This is specified by User and Group within httpd.conf and is non-root per default.

Non-root users can bind to ports >1024.

MySQL does not need to run as root and runs on port 3306.

Solution 2:

Taken from http://httpd.apache.org/docs/1.3/misc/security_tips.html#serverroot

In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but also the directories and parents of all directories.

For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd 

You can create an htdocs subdirectory which is modifiable by other users -- since root never executes any files out of there, and shouldn't be creating files in there.

Solution 3:

You seem to be running debian/ubuntu. By default, at least apache, mysql and postgresql are running as less privileged users. You still need database users; one for normal site access and one for schema migrations is what I use.

Solution 4:

Typically you should run as many services as non-root users as possible. The reason this is if the service is compromised in some way, processes on your system may be able to be started with elevated privileges. The best way I have found around the port requirement where non-root users may not listen on ports less than 1024, is to use IPTABLES, with the PREROUTING chain in the NAT table. This way you can maintain the security of least required permission, yet still answer on the popular ports.

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source     destination         
1    REDIRECT   tcp  --  0.0.0.0/0  172.16.1.10  tcp dpt:80 redir ports 8080 

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source     destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source     destination         
1    REDIRECT   tcp  --  0.0.0.0/0  172.16.1.10  tcp dpt:80 redir ports 8080 

Solution 5:

If you install using the official ubuntu packages - using aptitude or apt-get; the user and privileges of the service you install (eg apache2) will be sorted out by the package. There should be no reason for you to roll your own. Rolling your own can actually break the package upgrade process and leave you unable to install security patches.