> Date: Wednesday, September 14, 2016 08:16:32 -0400 > From: Tom Hammond <tominohio@xxxxxxxxx> > > I have an Apache 2.2x server and would like to harden security so > that hackers can't get in easily to the Apache webserver. One > suggestion is to change the user/group for Apache to a > non-privileged account. > > Currently the user "fpp" is the default user for Apache which has > access to the operating system via sudo commands. > > I entered these commands to create a non-privileged account: > sudo groupadd http-web > sudo useradd -d /opt/fpp/www/ -g http-web http-web > > I then edited /etc/apache2/envvars to change these lines: > export APACHE_RUN_USER=http-web > > export APACHE_RUN_GROUP=http-web > > I also ran this command to change user/group permissions on this > folder: sudo chown -R http-web:http-web /var/lock/apache2/ > sudo chown -R http-web:http-web /opt/fpp/www > > Finally, I restarted the Apache service with this command: > sudo service apache2 restart > > When I try to access the website on this server, I receive the > following message: > > Forbidden: You don't have permission to access / on this server. > > I've been scouring the Internet trying to figure out how to switch > the default "fpp" Apache user to a non-privileged account and can't > figure it out. Can someone shed some light on this? There's nothing about the "apache" user/group that inherently makes it privileged. It's just a standard user/group that the apache server (generally) runs as. What you do want to make certain of is that your DocumentRoot is not owned by the user/group that the webserver is running as, and that it is not writable by that user/group. The webserver does need read access to the files (and execute to directories) under the DocumentRoot. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|