Running Apache as a different user

linux permissions ubuntu user-accounts apache-http-server

When I run the ps -efH command to list out all the process, I can see Apache running as root and seems to have sub-processes running as www-data. Here's the excerpt:

root     30117     1  0 09:10 ?        00:00:00   /usr/sbin/apache2 -k start
www-data 30119 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start
www-data 30120 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start
www-data 30121 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start

Can I make Apache and all sub-processes run as different user apache2d:apache2d? If so how? I read somewhere that the settings for this can be found in /etc/apache2/httpd.conf but that file seems to be empty? Can this be accomplished by changing the owner and group of the /etc/init.d/apache2 script and then settings the setuid flag on it?


Solution 1:

Apache has to run as root initially in order to bind to port 80. If you don't run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. Otherwise don't worry about root. That is the parent Apache process and does not serve any requests. It will spawn child processes and drop privileges for handling requests.

To change the Apache user set the User and Group parameters in your Apache config.

Solution 2:

@bahamat explains it pretty well, but I'll add a little more detail.

In the course of normal operation, the root-owned apache process will not perform any actual operations other than listening on port 80 and forwarding incoming connections to its (safely non-privileged, as the www-data user) children.

The location of the master configuration file depends on compile-time options and varies per distribution, but /etc/apache2/apache2.conf is a good starting guess.

Also, if you're setting up a multi-user webhosting system, you might want to look into SuExec and fcgid so that each individual webhosting user's apache process runs as said user -- so that if one user is negligent with their security, other users won't be affected.

Solution 3:

In Ubuntu at least, the settings for this are in /etc/apache2/envvars. Tweak those, then restart apache and you're off and running.

Related

How to do division with bc (bench calculator) and obtain fractional results?
Rotate a picture by a small number of degrees
Equivalent of 'clear' command when using tail -f
Vi can write to file despite file being read-only
Is my connection really encrypted through VPN?
Are Mac Minis suitable for a proper desktop computer?
Does Mac OS X manage registries for installed applications?
How can I copy files with SSH?
Ending a process in Unix instead of interrupting it
should case fans blow air into or out of the case
Is there a way to move a column in between existing columns with drag-and-drop?
2 DHCP Server it is possible to set a default server and a second