httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Dobák <erik.do...@gmail.com>
Subject Re: [users@httpd] Change user for Apache web server to a non-privileged user?
Date Thu, 15 Sep 2016 18:09:14 GMT
i was told that chrooting that user might also be a good idea. what do you
think?

E

On 14 September 2016 at 23:49, Richard <lists-apache@listmail.innovate.net>
wrote:

>
>
>
> > Date: Wednesday, September 14, 2016 17:37:36 -0400
> > From: Tom Hammond <tominohio@gmail.com>
> >
> >> From: Richard
> >> Sent: Wednesday, September 14, 2016 5:06 PM
> >>
> >>> Date: Wednesday, September 14, 2016 08:16:32 -0400
> >>> From: Tom Hammond <tominohio@gmail.com>
> >>>
> >>> I have an Apache 2.2x server and would like to harden security so
> >>> that  hackers can't get in easily to the Apache webserver.  One
> >>> suggestion  is to change the user/group for Apache to a
> >>> non-privileged account.
> >>>
> >>> Currently the user "fpp" is the default user for Apache which has
> >>> access to the operating system via sudo commands.
> >>>
> >>> I entered these commands to create a non-privileged account:
> >>> sudo groupadd http-web
> >>> sudo useradd -d /opt/fpp/www/ -g http-web http-web
> >>>
> >>> I then edited /etc/apache2/envvars to change these lines:
> >>> export APACHE_RUN_USER=http-web
> >>>
> >>> export APACHE_RUN_GROUP=http-web
> >>>
> >>> I also ran this command to change user/group permissions on this
> >>> folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo
> >>> chown  -R http-web:http-web /opt/fpp/www
> >>>
> >>> Finally, I restarted the Apache service with this command:
> >>> sudo service apache2 restart
> >>>
> >>> When I try to access the website on this server, I receive the
> >>> following message:
> >>>
> >>> Forbidden: You don't have permission to access / on this server.
> >>>
> >>> I've been scouring the Internet trying to figure out how to switch
> >>> the  default "fpp" Apache user to a non-privileged account and
> >>> can't figure  it out. Can someone shed some light on this?
> >>
> >>
> >>
> >> There's nothing about the "apache" user/group that inherently makes
> >> it privileged. It's just a standard user/group that the apache
> >> server (generally) runs as.
> >>
> >> What you do want to make certain of is that your DocumentRoot is
> >> not owned by the user/group that the webserver is running as, and
> >> that it is not writable by that user/group.
> >>
> >> The webserver does need read access to the files (and execute to
> >> directories) under the DocumentRoot.
> >>
> >
> >
> > Thanks for the advice!  If I understand you, the user/group that the
> > webserver is running as needs to have read access on files and
> > execute on directories, but at the same time not be an "owner" of
> > these files & directories.  Is that correct?
> >
>
>
> Correct. And, as well, that user/group should not have write access
> to the files/directories under the DocumentRoot.
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message