Results 1 to 4 of 4
  1. #1
    Junior Member
    Join Date
    Dec 2002

    Novice apache permisions question

    I believe there are two (if not more) levels of permission to run apache under. I think one is equivalent to anonymous or a very restricted user. I think the other is equivalent to root, running under sudo possibily? Can someone tell me what benefits are there to running under root, what benefits there are to running under anonymous and why you would choose one or the other.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    For 1.3 see http://httpd.apache.org/docs/misc/security_tips.html
    For 2.0 see http://httpd.apache.org/docs-2.0/mis...rity_tips.html

    NEVER leave apache running as root. Unless you want to get 0wn3d
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    You should leave it running with its default permissions (it loads up as root, then spawns off child as a 'nouser' or 'nobody' user, or if you insist have a 'webuser' with no permissions on the system). The reason the initial process must run as root is that the web daemon must bind to a port below 1024, which in unix requires root access (if you bound it to something > 1024, like 8080, then you don't even need root access for that, in which case it can be all 'nobody' user). After the port is bound to 80, a child process spawns that handles the requests and it only has enough privelages to handle the web requests of the clients and hand off the various data (usually through 'other' access on the file permissions in the web directories). The reason for this is that if someone does something bad to the daemon (like applies the latest greatest hack and your server is vulnerable, the most they get is 'nobody' access, in which case they must find some way to escalate their privelage before they can do anything (at least if your file permissions are proper). If you were to have run the web server as root (very very very bad idea), they would now have root access to your system, not nobody...

    Hope that helps,

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Jan 2002
    There is absolutely no need to run any vaguely "normal" configuration under root.

    Apache should be started as root, and then it reads its configuration file, and drops privileges accordingly before serving any requests.

    It needs to be started as root:

    - To bind to ports <1024
    - To write to log files

    However, patches are available for Linux (certainly) which enable (authorised) users other than root to bind to <1024, in which case it doesn't need even to start as root.

    In principle, someone running CGI scripts, PHP etc, cannot gain access to root by virtue of running their processes as the same ID as apache (although they can do pretty effective DoS attacks, but they would be able to anyway).

    Normally there is a user "nobody", "apache" or "www" set up for this purpose, who runs little else.

    Note the Apache on Windows is a totally different beast, but that does not need to run as Administrator or LocalSystem either (on Windows the port 1024 restriction is nonexistent, as it's primarily a single-user system)

    The only reason I can think of running Apache as root is if its only purpose is web-based administration; even then it probably shouldn't.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.