I've read in multiple books and online to never run apache as root... Yet when run on startup, it is running as root, correct??? Will SetUID'ing the httpd to a benign user with little filesystem access work??? So that when apache is launched on startup, it's running with the benign user's premission??? Or did I read this wrong???
Sorry for lame newbie question... :)
Any help = greatly appreciated...
September 25th, 2002, 12:49 AM
Erm, in short no.
Apache starts as root because if you're running it on a privileged port like 80, it has to otherwise it cannot use port 80.
The master process stays as root in order to open log files and bind to any other ports it may need to.
The child processes (which do all the actual work) change to another user with limited access, and all filesystem access for HTTP requests, executing PHP pages, CGI scripts etc happens under this user.
If you don't like it starting up as root, ensure that it can access port 80 in some other fashion - under Linux I believe it's possible to do this with "capabilities".
If you install mod_pam_capabilities I think it's called (not 100% sure), then you can assign capabilities to users at login. In this way you can let your "www" user access low port numbers without needing to give them root access. Then you can start the apache service by su'ing to your "www" user then starting apache normally.
Other unix-like OSs have similar restrictions and ways around.
Note that Windows NT has no such restrictions, any user may use port 80. Therefore you can run Apache entirely as a non-privileged user on Win NT (although you still need to be administrator to start it as a service)
In any case on a Unix-like OS it is possible to run as an unprivileged user if you use a high port number. I run Apache in this manner exclusively during development, as it makes it a lot easier to start/stop (I run it as my normal login). Many sites use port 8080 or 8888 for this but you can use whatever you like.
September 25th, 2002, 01:02 AM
Wowzer... That was a quick reply...
Thanks for the info...
So if I'm running on a standard port 80, setting the "User" and "Group" directives in the httpd.conf are enough to harden your apache??? (At least as much as can be expected...)
So I'm assuming that the references I have read regarding "Dont run apache as root" mean don't use:
in your httpd.conf...