> Date: Wednesday, September 14, 2016 17:37:36 -0400 > From: Tom Hammond <tominohio@xxxxxxxxx> > >> From: Richard >> Sent: Wednesday, September 14, 2016 5:06 PM >> >>> Date: Wednesday, September 14, 2016 08:16:32 -0400 >>> From: Tom Hammond <tominohio@xxxxxxxxx> >>> >>> I have an Apache 2.2x server and would like to harden security so >>> that hackers can't get in easily to the Apache webserver. One >>> suggestion is to change the user/group for Apache to a >>> non-privileged account. >>> >>> Currently the user "fpp" is the default user for Apache which has >>> access to the operating system via sudo commands. >>> >>> I entered these commands to create a non-privileged account: >>> sudo groupadd http-web >>> sudo useradd -d /opt/fpp/www/ -g http-web http-web >>> >>> I then edited /etc/apache2/envvars to change these lines: >>> export APACHE_RUN_USER=http-web >>> >>> export APACHE_RUN_GROUP=http-web >>> >>> I also ran this command to change user/group permissions on this >>> folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo >>> chown -R http-web:http-web /opt/fpp/www >>> >>> Finally, I restarted the Apache service with this command: >>> sudo service apache2 restart >>> >>> When I try to access the website on this server, I receive the >>> following message: >>> >>> Forbidden: You don't have permission to access / on this server. >>> >>> I've been scouring the Internet trying to figure out how to switch >>> the default "fpp" Apache user to a non-privileged account and >>> can't figure it out. Can someone shed some light on this? >> >> >> >> There's nothing about the "apache" user/group that inherently makes >> it privileged. It's just a standard user/group that the apache >> server (generally) runs as. >> >> What you do want to make certain of is that your DocumentRoot is >> not owned by the user/group that the webserver is running as, and >> that it is not writable by that user/group. >> >> The webserver does need read access to the files (and execute to >> directories) under the DocumentRoot. >> > > > Thanks for the advice! If I understand you, the user/group that the > webserver is running as needs to have read access on files and > execute on directories, but at the same time not be an "owner" of > these files & directories. Is that correct? > Correct. And, as well, that user/group should not have write access to the files/directories under the DocumentRoot. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|