LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   [Apahce] How to change process owner for Apache? (https://www.linuxquestions.org/questions/linux-security-4/%5Bapahce%5D-how-to-change-process-owner-for-apache-503012/)

JockVSJock 11-19-2006 11:55 AM
[Apahce] How to change process owner for Apache?
 
Learning as much on Apache right now on a test box, before I deploy it as a webserver to the world.

Anyways, I've noticed that when Apache run that the parent process is Root and the child processes are nobody

Code:

cmmiller@probot:/var/www/htdocs/manual$ ps aux | grep httpd
root      2756  0.0  0.1  12240  252 ?        Ss  Nov12  0:00 /usr/sbin/httpd
nobody    2761  0.0  0.1  12364  384 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    2762  0.0  0.1  12392  388 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    2763  0.0  0.1  12348  416 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    2764  0.0  0.1  12240  360 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    2765  0.0  0.1  12392  372 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    2904  0.0  0.1  12392  368 ?        S    Nov12  0:00 /usr/sbin/httpd
nobody    4402  0.0  0.1  12364  428 ?        S    Nov13  0:00 /usr/sbin/httpd
cmmiller 13386  0.0  0.2  1676  616 pts/2    S+  04:33  0:00 grep httpd
This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.

Also under /etc/apache/httpd.conf, Apache is setup with User and Group set to nobody

Code:


# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group "#-1" on these systems!
#
User nobody
Group nobody
So I've looked thru the security links on this forum

http://www.linuxquestions.org/questi...threadid=45261

And have found a URL that helps change all of this:

http://www.securityfocus.com/infocus/1694

1. The following commands creates an Apache group and user, but I don't understand all of the flags, can someone please explain?

Code:

pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
2. If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?

thanks

unSpawn 11-20-2006 02:54 PM
I've noticed that when Apache run that the parent process is Root and the child processes are nobody (..) This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.
By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.


I don't understand all of the flags
Shouldn't you first "man groupadd; man useradd" and *then* ask?


If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?
Yes.

JockVSJock 11-20-2006 09:58 PM
Quote:
Originally Posted by unSpawn

By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.
I never heard of privilege separation...Wikipedia has an entry on the topic:

http://en.wikipedia.org/wiki/Privilege_separation


Quote:
Originally Posted by unSpawn

Shouldn't you first "man groupadd; man useradd" and *then* ask?
Your right, this answers some questions, but then creates more questions...

-c for Comment, but why? I don't see where this is going?

-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?

-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?

-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...I don't get it...


I did try the example and now can show this off

Code:
cmmiller@ladytron:~$ ps aux | grep httpd
root      7335  0.0  0.3  4248  1768 ?        Ss  20:15  0:00 ./httpd start
apache    7336  0.0  0.3  4248  1768 ?        S    20:15  0:00 ./httpd start
apache    7337  0.0  0.3  4248  1768 ?        S    20:15  0:00 ./httpd start
apache    7338  0.0  0.3  4248  1768 ?        S    20:15  0:00 ./httpd start
apache    7339  0.0  0.3  4248  1768 ?        S    20:15  0:00 ./httpd start
apache    7340  0.0  0.3  4248  1768 ?        S    20:15  0:00 ./httpd start
cmmiller  7402  0.0  0.1  1792  600 pts/3    R+  20:24  0:00 grep httpd
Much better!!!

unSpawn 11-21-2006 04:05 AM
I never heard of privilege separation.
The phrase "drop privileges" maybe? The daemon starts with root account privileges since on regular boxen only root is allowed to bind to ports < 1024.


-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?
-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?
-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...
You've created an inert account. Home can be set to anything that's useful, the group should match Apache's group and the shell shows the "user" can't login. On my boxen -d is set to /var/www and the UID is < UID_MIN (/etc/login.defs) making it a system account.


All times are GMT -5. The time now is 01:40 AM.