Running Apache as a different user
Solution 1
Apache has to run as root initially in order to bind to port 80. If you don't run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. Otherwise don't worry about root. That is the parent Apache process and does not serve any requests. It will spawn child processes and drop privileges for handling requests.
To change the Apache user set the User
and Group
parameters in your Apache config.
Solution 2
In Ubuntu at least, the settings for this are in /etc/apache2/envvars
. Tweak those, then restart apache and you're off and running.
Solution 3
@bahamat explains it pretty well, but I'll add a little more detail.
In the course of normal operation, the root-owned apache process will not perform any actual operations other than listening on port 80 and forwarding incoming connections to its (safely non-privileged, as the www-data
user) children.
The location of the master configuration file depends on compile-time options and varies per distribution, but /etc/apache2/apache2.conf
is a good starting guess.
Also, if you're setting up a multi-user webhosting system, you might want to look into SuExec and fcgid so that each individual webhosting user's apache process runs as said user -- so that if one user is negligent with their security, other users won't be affected.
Solution 4
Also, check out Apache2 ITK MPM.
It forks an Apache thread with the assigned uid
/gid
, this let's you keep using mod_php
. No more chmod
/chown
etc.
Related videos on Youtube
mudasirahanger
I'm a software developer who relishes authoring Java and Python, hacking on Android and toying with AppEngine. I have a penchant for development and a passion for the business side of software. In between all the work, I contribute to a number of open-source projects, learn to master the art of cooking Asian cuisine and try to stay sane while learning to fly my Align Trex-600 Nitro Heli.
Updated on September 18, 2022Comments
-
mudasirahanger over 1 year
When I run the
ps -efH
command to list out all the process, I can see Apache running asroot
and seems to have sub-processes running aswww-data
. Here's the excerpt:root 30117 1 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start www-data 30119 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start www-data 30120 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start www-data 30121 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start
Can I make Apache and all sub-processes run as different user
apache2d:apache2d
? If so how? I read somewhere that the settings for this can be found in/etc/apache2/httpd.conf
but that file seems to be empty? Can this be accomplished by changing the owner and group of the/etc/init.d/apache2
script and then settings the setuid flag on it? -
Shadur over 10 yearsUpvoting for
mpm_itk
which is a significant improvement over suexec/fcgid -
bahamat almost 10 yearsIt doesn't. Processes can only bind to ports under 1024 if it has super user privilege. So haproxy is either starting as root and dropping privileges (probably) or setuid root (unlikely).
-
Greg over 9 yearsThanks, this helped me! I'm setting up a ubuntu vagrant box, and for some reason /etc/apache2/httpd.conf wasn't being used to load the user and group. envars seems to do the trick!
-
Animal451 over 5 yearsYou don't need to run it as root, you just need to allow your 'apache' user access to restricted ports (ie, those below 1024). This answer explains how you can use 'authbind' to do that: superuser.com/questions/710253/…
-
istepaniuk over 3 yearsRunning the parent apache process as non-priviledged user is perfectly possible.
setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/apache2
allows it to bind non-privileged ports.