Return-Path: <users-return-114284-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id E43AF200B87
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 19 Sep 2016 21:16:53 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id E2F0F160ACC; Mon, 19 Sep 2016 19:16:53 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 2D5B7160ABB
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 19 Sep 2016 21:16:53 +0200 (CEST)
Received: (qmail 57945 invoked by uid 500); 19 Sep 2016 19:16:51 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 57935 invoked by uid 99); 19 Sep 2016 19:16:51 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Sep 2016 19:16:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0C83E180600
	for <users@httpd.apache.org>; Mon, 19 Sep 2016 19:16:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level: 
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=rcbowen-com.20150623.gappssmtp.com
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id Q-Mq6CHe5tbr for <users@httpd.apache.org>;
	Mon, 19 Sep 2016 19:16:48 +0000 (UTC)
Received: from mail-yw0-f169.google.com (mail-yw0-f169.google.com [209.85.161.169])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 6A75A5FB0E
	for <users@httpd.apache.org>; Mon, 19 Sep 2016 19:16:48 +0000 (UTC)
Received: by mail-yw0-f169.google.com with SMTP id u82so155181250ywc.2
        for <users@httpd.apache.org>; Mon, 19 Sep 2016 12:16:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rcbowen-com.20150623.gappssmtp.com; s=20150623;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=NnPdpLzHS7brhFXIglSZi7YX8gPS325s+L5JEincq58=;
        b=k7wGfqLkN8ZXobAdEmjW6+YgTcd9+bIkWziuiP/lIzBGfuwzu/MMiVfQdrRxZBv3Zk
         ruxNybpryNQwaP1iPDfzfMZi8dfUvIz/djCNOFoiYtDlz9ENkK2CRj+/aHcQYNR8xuEA
         M1CzBIIXE+htCYAx0DFA8+H80UikCtDETwP/2j03YpPRy5xcNDRR0zULQDEv9Oa9C/Ej
         MCYqZkpnFDSbxgC3EmqDfymQYxYZe1tAK+ErMxv47m08A6fHKaYxoVJXGCYDs6OIYom6
         wmh2/G+RUReaW+PViLDa8wPw4t3CF2LXbM455JZuAOI6idZ9Xt3LkifFZjMtgK95rDLL
         YUDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=NnPdpLzHS7brhFXIglSZi7YX8gPS325s+L5JEincq58=;
        b=MsyLQnvBruRS6+jEVVcanizUUJY/XD+R8y3cv9Pp57jcRmwNR6f9SJ35nIPeGpDGlc
         po1rEaSy6Qop6lM68C1oBVam/AOdvgdRuxtWN2OCIpfsFCDgc4X7Ho7itjFoxA3dnamR
         FTfiHAAr4RyzNiEL6FUFfe90uuiNlUr4gSuusIUB3ZEZ4nw7/KMa9dXhDxmoeckpqWa5
         NhxHmqtASyUIK1qub0ATssiEDGlfpI0JvkvvUyXxPJM/m+XeprkY0o3qUq23T5ELd9YA
         yk3C5xpf/2IU7U+UtAoBbTcJ09NrUDMvBlG/9yTrYFBs0EVtKR/q6x30fte/560HH71A
         jksw==
X-Gm-Message-State: AE9vXwMAAOPz47FtTyavkrM6USaw37ocoeOlYdKCnACHAwFIo6/C4T+WUApfbhAgIb+ltg==
X-Received: by 10.13.200.1 with SMTP id k1mr9254304ywd.24.1474312607645;
        Mon, 19 Sep 2016 12:16:47 -0700 (PDT)
Received: from [192.168.0.207] (cpe-192-180-213-35.kya.res.rr.com. [192.180.213.35])
        by smtp.googlemail.com with ESMTPSA id k14sm9927737ywk.43.2016.09.19.12.16.46
        for <users@httpd.apache.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 19 Sep 2016 12:16:46 -0700 (PDT)
To: users@httpd.apache.org
References: <CAFNahcJRd0XMz8pWE7gxx-GR1HDg9wwHxh1EcZ5Lg4JO636eew@mail.gmail.com>
From: Rich Bowen <rbowen@rcbowen.com>
Message-ID: <830f2175-d226-0bb1-e162-f8abbc383bb2@rcbowen.com>
Date: Mon, 19 Sep 2016 15:16:44 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAFNahcJRd0XMz8pWE7gxx-GR1HDg9wwHxh1EcZ5Lg4JO636eew@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Subject: Re: [users@httpd] Change user for Apache web server to a
 non-privileged user?
archived-at: Mon, 19 Sep 2016 19:16:54 -0000



On 09/14/2016 08:16 AM, Tom Hammond wrote:
> Hello everyone,
> 
> I have an Apache 2.2x server and would like to harden security so that
> hackers can't get in easily to the Apache webserver.  One suggestion is
> to change the user/group for Apache to a non-privileged account.  
> 
> Currently the user "fpp" is the default user for Apache which has access
> to the operating system via sudo commands.  
> 
> I entered these commands to create a non-privileged account:
> sudo groupadd http-web
> sudo useradd -d /opt/fpp/www/ -g http-web http-web
> 
> I then edited /etc/apache2/envvars to change these lines:
> export APACHE_RUN_USER=http-web                                        
>        
> export APACHE_RUN_GROUP=http-web
> 
> I also ran this command to change user/group permissions on this folder:
> sudo chown -R http-web:http-web /var/lock/apache2/
> sudo chown -R http-web:http-web /opt/fpp/www
> 
> Finally, I restarted the Apache service with this command:
> sudo service apache2 restart
> 
> When I try to access the website on this server, I receive the following
> message:
> 
> 
> Forbidden: You don't have permission to access / on this server.
> 
> 
> I've been scouring the Internet trying to figure out how to switch the
> default "fpp" Apache user to a non-privileged account and can't figure
> it out. Can someone shed some light on this?
> 


You are *probably* encountering selinux permission problems.

No doubt, if you investigate that line, you'll find lots of people
telling you to disable selinux, or set it to permissive. These people
are evil, and should be ignored. Instead, you need to learn how to
correctly give permission to the web content to your Apache user
account. You're looking for the chcon command line utility.

See http://serverfault.com/questions/396036/apache-httpd-permissions for
a possible starting place.


-- 
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org