LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-05-2004, 12:31 PM   #1
keygrip
LQ Newbie
 
Registered: Feb 2004
Posts: 5

Rep: Reputation: 0
Question on users under which servers run


I'm having trouble understanding the concept of using special users for servers to run under.

For example, I just installed Apache on my SuSE 8.2 Pro box. No problem. The thing works, and life is good. When I run "ps aux | grep httpd" I see

$ ps aux | grep httpd

root 2472 0.1 1.3 ... S 12:10 0:00 /usr/sbin/httpd -f /etc/httpd/httpd.conf
wwwrun 2473 0.0 1.3... S 12:10 0:00 [httpd]

which tells me that the original process started as root, and then process 2473 was started under the user name wwwrun.

When I look in my /etc/shadow file, I see the entry for wwwrun:

wwwrun:*:8902:0:10000::::

From what I read, I think the * in the second field means that logins are disabled for this account.

So, how does it work? The logging directory, /var/log/httpd, is set up with root as user and group owner, and a mask of 770. How does the httpd process do its work when it's running under a user who can't log in and has no rights?

Thanks,
Steve

PS: Some entries in /etc/shadow have a "*" in the second field, while others have a "!". Does that make any difference?
 
Old 03-05-2004, 02:48 PM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
When you start apache one process is started as user root. This process checks the other httpd processes (do I need to start another one, did one die, are we crossing config limits etc), it doesn't handle the webrequest itself, that's done by the other httpd processes.

All other httpd processes run as a different user (wwwrun in your case). The master process has the authority to spawn processes which run as a different user.

The disabled option that shows up in your shadow file tells you that it is disabled for normal usage. It's not allowed to log in and have a loginshell.

As long as the appropriate files have world readability, your pages will be shown.

Personally I changed ownership/group of the appropriate files to the httpd user. No world readability, actually only readability for owner and group. I also use some php scripts and I don't want people getting root access if I make a mistake somewhere. Just a little extra (?) security.

The ! in the password field shows that the password is relocated, probably to /etc/gshadow.

Hope this helps.
 
Old 03-05-2004, 03:21 PM   #3
keygrip
LQ Newbie
 
Registered: Feb 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks. That makes a lot of sense.

I'm still a bit confused about how logging happens. If the httpd process runs under user wwwrun, and the logging happens in file /var/log/httpd/access_log, which has a profile of -rw-r--r--, how does wwwrun add entries to the log file? Or does root monitor the process enough to be able to handle all of the logging that needs to occur? I guess I just don't understand well enough the relationship between the original process running as root, and subsequent processes that are spawned under the wwwrun user.
 
Old 03-05-2004, 03:50 PM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
You don't specify who owns that logfile. It should be wwwrun, which has the read/write access

To give you an idea, here are some of the files on my box:
-rw------- wwwrun www access_log
-rw------- wwwrun www agent_log
-rw-r----- root root apache_runtime_status
-rw------- wwwrun www error_log
-rw-r----- root root httpd.pid

The exact way apache handles it processes can be influenced by the httpd.conf file. Especially apache 2+ has some excelent options for changing the way requests are handled.

The default is to have 1 master process (runs as root and should not die) that controls other httpd processes (childs).

For example: You might have seen these options in your httpd.conf (numbers are probably different, don't worry about that):

StartServers 4
MinSpareServers 2
MaxSpareServers 6
MaxClients 75
MaxRequestsPerChild 0

These are some of the things that the master process will check. So when apache is started for the first time the master process will create (spawn) 4 httpd processes (the StartServers 4 directive) that will run as user wwwrun.

These child processes handle the incomming (web)request(s) and do (some of) the logging, so some of the logfiles should have write access for the wwwrun user. Making wwwrun the owner of the file and give exclusive write access to wwwrun is what I prefer.

Depending on your configuration, a child will die after 1 request or stay alive to handle other request. If it dies and the number of remaining childs are within the MinSpareServers and MaxSpareServers setting, a new httpd could be created (I do not know if a new child is created when there are only 2 left or that 4 is what the master process tries to achieve [numbers are from example]).

Hope this clears things up a bit
 
Old 03-05-2004, 04:41 PM   #5
keygrip
LQ Newbie
 
Registered: Feb 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks again for your help.

Back to the logging question...

The directory where the logs are located is /var/log/httpd. The directory itself has a profile of drwxrwx---. Within this directory are three files:

linux: /var/log/httpd #ls -l

total 21
drwxrwx--- 2 root root 144 2004-03-03 09:07 .
drwxr-xr-x 9 root root 872 2004-03-05 07:45 ..
-rw-r--r-- 1 root root 5795 2004-03-05 16:27 access_log
-rw-r--r-- 1 root root 4485 2004-03-05 16:26 error_log
-rw-r--r-- 1 root root 10 2004-03-05 12:10 rcapache.out

So the access_log is world readable, but writable only for root. I notice, though, that the file error_log contains the following entry:

[Fri Mar 5 12:10:17 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Maybe the wwwrun user is using this suEXEC mechanism to write to these logs, or something. I obviously need a broader knowledge base generally. Thanks again.
 
Old 03-06-2004, 01:27 PM   #6
Qzukk
Member
 
Registered: Jun 2003
Posts: 132

Rep: Reputation: 15
The reason everything works is because the stuff starts as root (who can do almost anything, including switching to a user that cant login), open the log files, *then* switch to wwwrun.

The reason its done is that if someone manages to instruct apache to erase everything, the wwwrun user can't erase anything it doesn't own.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what do enterprise servers run? SlipAway172 Linux - General 8 06-16-2005 11:19 AM
What OS do MMORPG servers normaly run? docbrazen General 6 01-11-2004 05:18 PM
which distro do you run on your servers? groovin Linux - Networking 2 01-09-2004 12:05 AM
Making two servers run one website. Travis86 Linux - Networking 2 10-01-2003 12:42 PM
Synchronizing Users Across Multiple Servers ghight Linux - Networking 4 08-22-2003 10:35 AM


All times are GMT -5. The time now is 10:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration