[Apahce] How to change process owner for Apache?
Learning as much on Apache right now on a test box, before I deploy it as a webserver to the world.
Anyways, I've noticed that when Apache run that the parent process is Root and the child processes are nobody Code:
Also under /etc/apache/httpd.conf, Apache is setup with User and Group set to nobody Code:
http://www.linuxquestions.org/questi...threadid=45261 And have found a URL that helps change all of this: http://www.securityfocus.com/infocus/1694 1. The following commands creates an Apache group and user, but I don't understand all of the flags, can someone please explain? Code:
thanks |
I've noticed that when Apache run that the parent process is Root and the child processes are nobody (..) This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.
By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation. I don't understand all of the flags Shouldn't you first "man groupadd; man useradd" and *then* ask? If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users? Yes. |
Quote:
http://en.wikipedia.org/wiki/Privilege_separation Quote:
-c for Comment, but why? I don't see where this is going? -d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache? -g for group, does this point back to the group that for apache that I created and now shows under /etc/group? -s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...I don't get it... I did try the example and now can show this off Code:
cmmiller@ladytron:~$ ps aux | grep httpd |
I never heard of privilege separation.
The phrase "drop privileges" maybe? The daemon starts with root account privileges since on regular boxen only root is allowed to bind to ports < 1024. -d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache? -g for group, does this point back to the group that for apache that I created and now shows under /etc/group? -s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin... You've created an inert account. Home can be set to anything that's useful, the group should match Apache's group and the shell shows the "user" can't login. On my boxen -d is set to /var/www and the UID is < UID_MIN (/etc/login.defs) making it a system account. |
All times are GMT -5. The time now is 01:40 AM. |