Re: Need help in getting apache to run in a non-root account

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 
Hi Joshua,
 
That is a very good insightful mail. Thanks.   Please read on.
 
 
On 2/9/08, Joshua Slive <joshua@xxxxxxxx> wrote:
On Feb 9, 2008 7:47 PM, sudhakar govindavajhala
<sudhakarg79spam@xxxxxxxxx> wrote:
>
>
> Hi all,
>
> I manage the Information Security of a major financial institution.
>
> How do I get Apache to run as non-root user?  As you can see below,
> inspite of setting in httpd.conf, Apache is listening on port 8080 as
> root.
>
> I googled around, but could not find a way to start Apache as "apache".
>  Some web pages/emails claim that Apache starts as root, and then switches
> to user "apache". After connecting to port 8080 using telnet, I do not see
> any new httpd process created.  So, I do not trust these claims.

Apache is a pre-forking server. It keeps a pool of processes available
to serve incoming requests and therefore doesn't need to start new
processes for each new connection. As your process listing shows, all
processes except the master (control) process are running as user
"apache", not as root. These are the processes that do the actual
serving.
 
 
SG: What is  a pre-forking server? How can I confirm that it is the worker threads that are serving the request and not master process.   I am a little bit uneasy that the master is running as root, I am connecting to a port held by the master, and some how the worker processes are serving the requests.   Since I am connecting to a port held by a master, and since master is running as root, my root account becomes vulnerable to a potential buffer overflow security problem.
 
 
>
> None of the docs is definitive. Why should the program start as root in
> the first place?  Can anyone help me?

Apache normally starts as root because it needs root permission to
bind to port 80.

In your case, since you are using a non-privileged port, you can have
the master process run as non-root as well.
 
Yes, by su-ing to user apache, it all works fine.


The reason the master process is currently running as root is because
you have root privileges when you start it. If you want it to run as a
different user, simply change to that userid before starting the
server. (How you do that depends on your OS.)
 


Also note, however, that you may need to change file permissions. For
example, if you start the server as the "apache" user, then that user
will need to be able to write to the log directory. Normally, only
root needs to be able to write there.
 
SG: Yes, I see what you mean.
 
--Sudhakar

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux