Re: Change user for Apache web server to a non-privileged user?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i was told that chrooting that user might also be a good idea. what do you think?

E

On 14 September 2016 at 23:49, Richard <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote:



> Date: Wednesday, September 14, 2016 17:37:36 -0400
> From: Tom Hammond <tominohio@xxxxxxxxx>
>
>> From: Richard
>> Sent: Wednesday, September 14, 2016 5:06 PM
>>
>>> Date: Wednesday, September 14, 2016 08:16:32 -0400
>>> From: Tom Hammond <tominohio@xxxxxxxxx>
>>>
>>> I have an Apache 2.2x server and would like to harden security so
>>> that  hackers can't get in easily to the Apache webserver.  One
>>> suggestion  is to change the user/group for Apache to a
>>> non-privileged account.
>>>
>>> Currently the user "fpp" is the default user for Apache which has
>>> access to the operating system via sudo commands.
>>>
>>> I entered these commands to create a non-privileged account:
>>> sudo groupadd http-web
>>> sudo useradd -d /opt/fpp/www/ -g http-web http-web
>>>
>>> I then edited /etc/apache2/envvars to change these lines:
>>> export APACHE_RUN_USER=http-web
>>>
>>> export APACHE_RUN_GROUP=http-web
>>>
>>> I also ran this command to change user/group permissions on this
>>> folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo
>>> chown  -R http-web:http-web /opt/fpp/www
>>>
>>> Finally, I restarted the Apache service with this command:
>>> sudo service apache2 restart
>>>
>>> When I try to access the website on this server, I receive the
>>> following message:
>>>
>>> Forbidden: You don't have permission to access / on this server.
>>>
>>> I've been scouring the Internet trying to figure out how to switch
>>> the  default "fpp" Apache user to a non-privileged account and
>>> can't figure  it out. Can someone shed some light on this?
>>
>>
>>
>> There's nothing about the "apache" user/group that inherently makes
>> it privileged. It's just a standard user/group that the apache
>> server (generally) runs as.
>>
>> What you do want to make certain of is that your DocumentRoot is
>> not owned by the user/group that the webserver is running as, and
>> that it is not writable by that user/group.
>>
>> The webserver does need read access to the files (and execute to
>> directories) under the DocumentRoot.
>>
>
>
> Thanks for the advice!  If I understand you, the user/group that the
> webserver is running as needs to have read access on files and
> execute on directories, but at the same time not be an "owner" of
> these files & directories.  Is that correct?
>


Correct. And, as well, that user/group should not have write access
to the files/directories under the DocumentRoot.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux