httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: [users@httpd] Change user for Apache web server to a non-privileged user?
Date Mon, 19 Sep 2016 19:16:44 GMT


On 09/14/2016 08:16 AM, Tom Hammond wrote:
> Hello everyone,
> 
> I have an Apache 2.2x server and would like to harden security so that
> hackers can't get in easily to the Apache webserver.  One suggestion is
> to change the user/group for Apache to a non-privileged account.  
> 
> Currently the user "fpp" is the default user for Apache which has access
> to the operating system via sudo commands.  
> 
> I entered these commands to create a non-privileged account:
> sudo groupadd http-web
> sudo useradd -d /opt/fpp/www/ -g http-web http-web
> 
> I then edited /etc/apache2/envvars to change these lines:
> export APACHE_RUN_USER=http-web                                        
>        
> export APACHE_RUN_GROUP=http-web
> 
> I also ran this command to change user/group permissions on this folder:
> sudo chown -R http-web:http-web /var/lock/apache2/
> sudo chown -R http-web:http-web /opt/fpp/www
> 
> Finally, I restarted the Apache service with this command:
> sudo service apache2 restart
> 
> When I try to access the website on this server, I receive the following
> message:
> 
> 
> Forbidden: You don't have permission to access / on this server.
> 
> 
> I've been scouring the Internet trying to figure out how to switch the
> default "fpp" Apache user to a non-privileged account and can't figure
> it out. Can someone shed some light on this?
> 


You are *probably* encountering selinux permission problems.

No doubt, if you investigate that line, you'll find lots of people
telling you to disable selinux, or set it to permissive. These people
are evil, and should be ignored. Instead, you need to learn how to
correctly give permission to the web content to your Apache user
account. You're looking for the chcon command line utility.

See http://serverfault.com/questions/396036/apache-httpd-permissions for
a possible starting place.


-- 
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message