Why has Apache begun running a single process as root, and another as root and the wwwdata user?
Apache Httpd starts off as a process run by root to be able to listen to ports < 1024 (80 for HTTP and 443 for HTTPS). Normal users can't do that.
In addition, some configuration files are only readable by root, during the launch process. For example, your Apache user (e.g. www-data) shouldn't need to be able to read your private key file if you've configured SSL.
It's a good thing not to run everything as root: this way, a mistake or a compromised service wouldn't be able to make as much damage to the system as when running as root.
EDIT:
(I just assumed www-data instead of wwwdata, but it doesn't matter, it will run as the user you set it to run.)
Neither set of logs provides anything unusual. I have no idea how it's running that way.
It just runs this way: it starts a process as root and then forks other users as the user you've chosen.
If you get the root process id (e.g. with ps auwx | grep apache2, or grep httpd depending on the distribution), then run pstree -p -u THE_PROCESS_ID, you should see the hierarchy clearly. The parent process should always be running permanently (otherwise, you'd kill its child processes too).
See the User documentation (Apache MPM Common Directives):
If you do start the server as root, then it is normal for the parent process to remain running as root.
Related videos on Youtube
23 : 26
14 : 41
04 : 26
26 : 10
01 : 44
flink
Updated on September 18, 2022Comments
-
flink over 1 year
I am running Apache Worker-MPM, PHP 5.3.2, and FCGID.
Apache runs better than before, but I noticed that there is an apache process running as root and a second process that runs as both root and as wwwdata. The rest of the processes are running as wwwdata.
Has anyone run into this yet and is it safe?
-
bekay about 12 yearsHow is one of the apache processes running as two users root and wwwdata? The user it runs under is set in the main configuration file. I'd check your server access logs (not apaches) check the access/user/application logs in /var/log and see if you see anything suspicious
-
flink about 12 yearsNeither set of logs provides anything unusual. I have no idea how it's running that way.
-
Bruno about 12 years@Anagio "How is one of the apache processes running as two users root and wwwdata?" I don't think it's about one process running as two distinct users (that wouldn't work), but simply about two processes running as different users. It's normal.
-
flink about 12 years@Bruno In the process list, there are many Apache processes listed. There is one whose user is root, and one whose user is "root,wwwdata" That's just how it looks. I don't recall ever seeing two user names listed like that.
-
Bruno about 12 years@flink, which command do you use to list the processes?
-
flink about 12 years@Bruno I used the GUI system monitor, which shows the doubled usernames. I used the commands you provided and they gave me a better idea of what was really happening.
-
-
flink about 12 yearswww-data's UID and GID are below 1000, which isn't permitted by suexec/fcgid, so I created a new user, wwwdata with a higher UID and GID to run everything.
-
flink about 12 yearsThat was some great information. I need some serious command line study. Thanks!
