httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodrigo Cunha <rodrigo.root...@gmail.com>
Subject Re: [users@httpd] Change user for Apache web server to a non-privileged user?
Date Wed, 14 Sep 2016 21:49:03 GMT
check strings in the apache config directory /etc/apache (debian)
grep www- /etc/apache2/apache2.conf * -R or
grep http /etc/apache2/apache2.conf * -R

check strings content old users and change to new user :
http-web
check apache process run:
ps -ef |grep -i apache or ps -ef |grep -i http
PS:
Change index.php, for example or .httpaccess in the root directory you
website for you new group permission 775...



2016-09-14 18:37 GMT-03:00 Tom Hammond <tominohio@gmail.com>:

> Hi Richard,
>
> Thanks for the advice!  If I understand you, the user/group that the
> webserver is running as needs to have read access on files and execute on
> directories, but at the same time not be an "owner" of these files &
> directories.  Is that correct?
>
> Thanks again,
> Tom
>
>
> -----Original Message-----
> From: Richard [mailto:lists-apache@listmail.innovate.net]
> Sent: Wednesday, September 14, 2016 5:06 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Change user for Apache web server to a
> non-privileged user?
>
>
>
> > Date: Wednesday, September 14, 2016 08:16:32 -0400
> > From: Tom Hammond <tominohio@gmail.com>
> >
> > I have an Apache 2.2x server and would like to harden security so that
> > hackers can't get in easily to the Apache webserver.  One suggestion
> > is to change the user/group for Apache to a non-privileged account.
> >
> > Currently the user "fpp" is the default user for Apache which has
> > access to the operating system via sudo commands.
> >
> > I entered these commands to create a non-privileged account:
> > sudo groupadd http-web
> > sudo useradd -d /opt/fpp/www/ -g http-web http-web
> >
> > I then edited /etc/apache2/envvars to change these lines:
> > export APACHE_RUN_USER=http-web
> >
> > export APACHE_RUN_GROUP=http-web
> >
> > I also ran this command to change user/group permissions on this
> > folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo chown
> > -R http-web:http-web /opt/fpp/www
> >
> > Finally, I restarted the Apache service with this command:
> > sudo service apache2 restart
> >
> > When I try to access the website on this server, I receive the
> > following message:
> >
> > Forbidden: You don't have permission to access / on this server.
> >
> > I've been scouring the Internet trying to figure out how to switch the
> > default "fpp" Apache user to a non-privileged account and can't figure
> > it out. Can someone shed some light on this?
>
> There's nothing about the "apache" user/group that inherently makes it
> privileged. It's just a standard user/group that the apache server
> (generally) runs as.
>
> What you do want to make certain of is that your DocumentRoot is not owned
> by the user/group that the webserver is running as, and that it is not
> writable by that user/group.
>
> The webserver does need read access to the files (and execute to
> directories) under the DocumentRoot.
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Atenciosamente,
Rodrigo da Silva Cunha

Mime
View raw message