httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "sudhakar govindavajhala" <sudhakarg79s...@gmail.com>
Subject Re: [users@httpd] Need help in getting apache to run in a non-root account
Date Sun, 10 Feb 2008 03:40:04 GMT
Hi Joshua,

That is a very good insightful mail. Thanks.   Please read on.


On 2/9/08, Joshua Slive <joshua@slive.ca> wrote:

> On Feb 9, 2008 7:47 PM, sudhakar govindavajhala
> <sudhakarg79spam@gmail.com> wrote:
> >
> >
> > Hi all,
> >
> > I manage the Information Security of a major financial institution.
> >
> > How do I get Apache to run as non-root user?  As you can see below,
> > inspite of setting in httpd.conf, Apache is listening on port 8080 as
> > root.
> >
> > I googled around, but could not find a way to start Apache as "apache".
> >  Some web pages/emails claim that Apache starts as root, and then
> switches
> > to user "apache". After connecting to port 8080 using telnet, I do not
> see
> > any new httpd process created.  So, I do not trust these claims.
>
> Apache is a pre-forking server. It keeps a pool of processes available
> to serve incoming requests and therefore doesn't need to start new
> processes for each new connection. As your process listing shows, all
> processes except the master (control) process are running as user
> "apache", not as root. These are the processes that do the actual
> serving.



SG: What is  a pre-forking server? How can I confirm that it is the worker
threads that are serving the request and not master process.   I am a little
bit uneasy that the master is running as root, I am connecting to a port
held by the master, and some how the worker processes are serving the
requests.   Since I am connecting to a port held by a master, and since
master is running as root, my root account becomes vulnerable to a potential
buffer overflow security problem.


>
> None of the docs is definitive. Why should the program start as root in
> the first place?  Can anyone help me?

Apache normally starts as root because it needs root permission to
bind to port 80.

In your case, since you are using a non-privileged port, you can have
the master process run as non-root as well.

Yes, by su-ing to user apache, it all works fine.


The reason the master process is currently running as root is because
you have root privileges when you start it. If you want it to run as a
different user, simply change to that userid before starting the
server. (How you do that depends on your OS.)



Also note, however, that you may need to change file permissions. For
example, if you start the server as the "apache" user, then that user
will need to be able to write to the log directory. Normally, only
root needs to be able to write there.

SG: Yes, I see what you mean.

--Sudhakar

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
  "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Mime
View raw message