How do I stop Apache from running as root?

permissions users root apache-httpd
9,727

It is unusual to find Apache running as root in any stock configuration. How have you determined that Apache is running as root? Note that Apache must start up as root in order to bind to privileged ports, but typically sheds its privileges later on.

You can look in your Apache configuration (often in /etc/httpd or /etc/apache2, depending on your distribution) for the User and Group directives (documented here). These two directives control under what user id Apache runs.

It is also unusual to find a system that has "no other groups or users". What do getent passwd and getent group show? Are there really no other users or groups other than root? Most distributions ship with an apache or www-data user or somesuch and a matching configuration that will run Apache as that user.

There are a variety of introductory guides out there to Apache configuration and security. A simple Google search yields many likely looking results. The RedHat/CentOS Deployment Guide is a good place to start (if you're on a RedHat/CentOS system).

Share:
9,727

Related videos on Youtube

r00tAcc3ss
Author by

r00tAcc3ss

Updated on September 18, 2022

Comments

  • r00tAcc3ss
    r00tAcc3ss over 1 year

    New on the job, small place, and the security stuff just landed on my desk. I was hired to be a front-end developer. Happy to learn new things, but never had to do sysadmin stuff before.

    I started digging and it appears that apache, the site, and everything is running on root. There are no other groups or users. ACK!

    What steps should I take to change this? I know that this is a big no-no...

    Bonus points if anyone can please point me to a good basic 101 tutorial on apache/php security.

  • r00tAcc3ss
    r00tAcc3ss about 12 years
    Thanks, yeah, it wasn't running off root, but it seems that everything else has been done using root. all the folders, files, etc. I'll need to work out how to change that.
  • larsks
    larsks about 12 years
    Well...not necessarily. You don't want the files owned by the same user as the running Apache process. Ideally, a compromise in the web server will not result in an attacker being able to modify your Apache configuration or web content.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add my user account to admin group (13.10 desktop)
What is "root" and how can I become it?
Change owner of internal hard drive partition from root to user
The opposite of su: run a command without root privileges
Start Vim as my user with root privileges
sudo tar changes extracted files ownership to unknown user
Difference between sudo user and root user
Can I create a *super* super-user so that I can actually have a user that can deny permission to root?
Making a specific root folder accessible to user
What Is The Difference Between "root", "user", "group"?