httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Hammond" <tomino...@gmail.com>
Subject RE: [users@httpd] Change user for Apache web server to a non-privileged user?
Date Wed, 14 Sep 2016 21:37:36 GMT
Hi Richard,

Thanks for the advice!  If I understand you, the user/group that the
webserver is running as needs to have read access on files and execute on
directories, but at the same time not be an "owner" of these files &
directories.  Is that correct?

Thanks again,
Tom


-----Original Message-----
From: Richard [mailto:lists-apache@listmail.innovate.net] 
Sent: Wednesday, September 14, 2016 5:06 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Change user for Apache web server to a
non-privileged user?



> Date: Wednesday, September 14, 2016 08:16:32 -0400
> From: Tom Hammond <tominohio@gmail.com>
>
> I have an Apache 2.2x server and would like to harden security so that 
> hackers can't get in easily to the Apache webserver.  One suggestion 
> is to change the user/group for Apache to a non-privileged account.
> 
> Currently the user "fpp" is the default user for Apache which has 
> access to the operating system via sudo commands.
> 
> I entered these commands to create a non-privileged account:
> sudo groupadd http-web
> sudo useradd -d /opt/fpp/www/ -g http-web http-web
> 
> I then edited /etc/apache2/envvars to change these lines:
> export APACHE_RUN_USER=http-web
> 
> export APACHE_RUN_GROUP=http-web
> 
> I also ran this command to change user/group permissions on this
> folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo chown 
> -R http-web:http-web /opt/fpp/www
> 
> Finally, I restarted the Apache service with this command:
> sudo service apache2 restart
> 
> When I try to access the website on this server, I receive the 
> following message:
> 
> Forbidden: You don't have permission to access / on this server.
> 
> I've been scouring the Internet trying to figure out how to switch the 
> default "fpp" Apache user to a non-privileged account and can't figure 
> it out. Can someone shed some light on this?

There's nothing about the "apache" user/group that inherently makes it
privileged. It's just a standard user/group that the apache server
(generally) runs as.

What you do want to make certain of is that your DocumentRoot is not owned
by the user/group that the webserver is running as, and that it is not
writable by that user/group.

The webserver does need read access to the files (and execute to
directories) under the DocumentRoot.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message