Running Apache as a different user

linux ubuntu permissions apache-http-server user-accounts

77,932

Solution 1

Apache has to run as root initially in order to bind to port 80. If you don't run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. Otherwise don't worry about root. That is the parent Apache process and does not serve any requests. It will spawn child processes and drop privileges for handling requests.

To change the Apache user set the User and Group parameters in your Apache config.

Solution 2

In Ubuntu at least, the settings for this are in /etc/apache2/envvars. Tweak those, then restart apache and you're off and running.

Solution 3

@bahamat explains it pretty well, but I'll add a little more detail.

In the course of normal operation, the root-owned apache process will not perform any actual operations other than listening on port 80 and forwarding incoming connections to its (safely non-privileged, as the www-data user) children.

The location of the master configuration file depends on compile-time options and varies per distribution, but /etc/apache2/apache2.conf is a good starting guess.

Also, if you're setting up a multi-user webhosting system, you might want to look into SuExec and fcgid so that each individual webhosting user's apache process runs as said user -- so that if one user is negligent with their security, other users won't be affected.

Solution 4

Also, check out Apache2 ITK MPM.

It forks an Apache thread with the assigned uid/gid, this let's you keep using mod_php. No more chmod/chown etc.

View more solutions

77,932

mudasirahanger

I'm a software developer who relishes authoring Java and Python, hacking on Android and toying with AppEngine. I have a penchant for development and a passion for the business side of software. In between all the work, I contribute to a number of open-source projects, learn to master the art of cooking Asian cuisine and try to stay sane while learning to fly my Align Trex-600 Nitro Heli.

Updated on September 18, 2022

Comments

mudasirahanger over 1 year
When I run the ps -efH command to list out all the process, I can see Apache running as root and seems to have sub-processes running as www-data. Here's the excerpt:
```
root     30117     1  0 09:10 ?        00:00:00   /usr/sbin/apache2 -k start
www-data 30119 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start
www-data 30120 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start
www-data 30121 30117  0 09:10 ?        00:00:00     /usr/sbin/apache2 -k start
```
Can I make Apache and all sub-processes run as different user apache2d:apache2d? If so how? I read somewhere that the settings for this can be found in /etc/apache2/httpd.conf but that file seems to be empty? Can this be accomplished by changing the owner and group of the /etc/init.d/apache2 script and then settings the setuid flag on it?
Shadur over 10 years

Upvoting for mpm_itk which is a significant improvement over suexec/fcgid
bahamat almost 10 years

It doesn't. Processes can only bind to ports under 1024 if it has super user privilege. So haproxy is either starting as root and dropping privileges (probably) or setuid root (unlikely).
Greg over 9 years

Thanks, this helped me! I'm setting up a ubuntu vagrant box, and for some reason /etc/apache2/httpd.conf wasn't being used to load the user and group. envars seems to do the trick!
Animal451 over 5 years

You don't need to run it as root, you just need to allow your 'apache' user access to restricted ports (ie, those below 1024). This answer explains how you can use 'authbind' to do that: superuser.com/questions/710253/…
istepaniuk over 3 years

Running the parent apache process as non-priviledged user is perfectly possible. setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/apache2 allows it to bind non-privileged ports.