[Apahce] How to change process owner for Apache?

JockVSJock · 11-19-2006, 11:55 AM

Learning as much on Apache right now on a test box, before I deploy it as a webserver to the world.

Anyways, I've noticed that when Apache run that the parent process is Root and the child processes are nobody

Code:

cmmiller@probot:/var/www/htdocs/manual$ ps aux | grep httpd
root      2756  0.0  0.1  12240   252 ?        Ss   Nov12   0:00 /usr/sbin/httpd
nobody    2761  0.0  0.1  12364   384 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2762  0.0  0.1  12392   388 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2763  0.0  0.1  12348   416 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2764  0.0  0.1  12240   360 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2765  0.0  0.1  12392   372 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2904  0.0  0.1  12392   368 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    4402  0.0  0.1  12364   428 ?        S    Nov13   0:00 /usr/sbin/httpd
cmmiller 13386  0.0  0.2   1676   616 pts/2    S+   04:33   0:00 grep httpd

This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.

Also under /etc/apache/httpd.conf, Apache is setup with User and Group set to nobody

Code:


# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group "#-1" on these systems!
#
User nobody
Group nobody

So I've looked thru the security links on this forum

http://www.linuxquestions.org/questi...threadid=45261

And have found a URL that helps change all of this:

http://www.securityfocus.com/infocus/1694

1. The following commands creates an Apache group and user, but I don't understand all of the flags, can someone please explain?

Code:

pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin

2. If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?

thanks

unSpawn · 11-20-2006, 02:54 PM

I've noticed that when Apache run that the parent process is Root and the child processes are nobody (..) This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.
By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.

I don't understand all of the flags
Shouldn't you first "man groupadd; man useradd" and *then* ask?

If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?
Yes.

JockVSJock · 11-20-2006, 09:58 PM

Quote:

Originally Posted by unSpawn

By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.

I never heard of privilege separation...Wikipedia has an entry on the topic:

http://en.wikipedia.org/wiki/Privilege_separation

Quote:

Originally Posted by unSpawn

Shouldn't you first "man groupadd; man useradd" and *then* ask?

Your right, this answers some questions, but then creates more questions...

-c for Comment, but why? I don't see where this is going?

-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?

-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?

-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...I don't get it...

I did try the example and now can show this off

Code:

cmmiller@ladytron:~$ ps aux | grep httpd
root      7335  0.0  0.3   4248  1768 ?        Ss   20:15   0:00 ./httpd start
apache    7336  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7337  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7338  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7339  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7340  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
cmmiller  7402  0.0  0.1   1792   600 pts/3    R+   20:24   0:00 grep httpd

Much better!!!

unSpawn · 11-21-2006, 04:05 AM

I never heard of privilege separation.
The phrase "drop privileges" maybe? The daemon starts with root account privileges since on regular boxen only root is allowed to bind to ports < 1024.

-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?
-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?
-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...
You've created an inert account. Home can be set to anything that's useful, the group should match Apache's group and the shell shows the "user" can't login. On my boxen -d is set to /var/www and the UID is < UID_MIN (/etc/login.defs) making it a system account.