who should httpd run as

lord-fu · 11-27-2005, 08:28 PM

Hello,

Just ran top and noticed that I have httpd running as root as well as www.

Code:

last pid:   637;  load averages:  0.00,  0.00,  0.00    up 0+00:22:56  10:24:21
36 processes:  1 running, 35 sleeping
CPU states:  1.2% user,  0.0% nice,  0.0% system,  0.0% interrupt, 98.8% idle
Mem: 78M Active, 11M Inact, 30M Wired, 24M Buf, 123M Free
Swap: 512M Total, 512M Free

  PID USERNAME PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
  495 root     -58    0 50176K 49396K bpf      0:04  0.00%  0.00% snort
  494 mysql     20    0 56632K 26560K kserel   0:03  0.00%  0.00% mysqld
  621 root      96    0  2316K  1584K RUN      0:01  0.00%  0.00% top
  435 root      96    0 15116K  9832K select   0:01  0.00%  0.00% httpd
  614 lord_fu   96    0  6116K  2952K select   0:00  0.00%  0.00% sshd
  170 root       8    0  1780K  1396K nanslp   0:00  0.00%  0.00% ipmon
  276 root      96    0  1328K   896K select   0:00  0.00%  0.00% syslogd
  611 root       4    0  6140K  2892K sbwait   0:00  0.00%  0.00% sshd
  618 root      20    0  2296K  1796K pause    0:00  0.00%  0.00% csh
  617 lord_fu    8    0  1608K  1284K wait     0:00  0.00%  0.00% su
  460 mysql      8    0  1660K  1196K wait     0:00  0.00%  0.00% sh
  615 lord_fu    8    0  1692K  1284K wait     0:00  0.00%  0.00% sh
  413 root       8    0  1364K  1052K nanslp   0:00  0.00%  0.00% cron
  550 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  551 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  556 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  554 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  557 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  552 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  555 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  553 root       5    0  1288K   952K ttyin    0:00  0.00%  0.00% getty
  392 root      96    0  3384K  2544K select   0:00  0.00%  0.00% sshd
  504 root       4    0  1360K   828K accept   0:00  0.00%  0.00% vsftpd
  455 www        4    0 15144K  9860K accept   0:00  0.00%  0.00% httpd
  454 www        4    0 15144K  9860K accept   0:00  0.00%  0.00% httpd
  456 www        4    0 15144K  9860K accept   0:00  0.00%  0.00% httpd
  458 www        4    0 15144K  9860K accept   0:00  0.00%  0.00% httpd
  457 www        4    0 15144K  9860K accept   0:00  0.00%  0.00% httpd
  520 root     116    0  1240K   744K select   0:00  0.00%  0.00% moused
  258 root     116    0   516K   356K select   0:00  0.00%  0.00% devd
  192 root      20    0  1192K   648K pause    0:00  0.00%  0.00% adjkerntz

I have never noticed that before, is that bad? I thought httpd runs a www..
Slightly off topic whom should the files in my www dir be owned by?

Thank you for any help offered.

freeBSD 5.4
default kernel
apache-1.3.34

btmiller · 11-27-2005, 08:54 PM

Apache must be started as root since only root can bind to port lower than 1024. The individual listeningprocesses run as the nonpriviliged www user though, as you see. As for the ownership of the files in the Web directory, that's mostly your call. I set them to be owned by whoever will need to edit them most frequently . One thing I do though is to not make them writeable by the www user though so they can't be modified by the web server itself (of course the www user must be able to read them).

lord-fu · 11-27-2005, 09:00 PM

Awesome, thank you for clearing that up for me.

The MCP · 11-27-2005, 10:14 PM

Quote:

Originally posted by btmiller
Apache must be started as root since only root can bind to port lower than 1024. The individual listeningprocesses run as the nonpriviliged www user though, as you see. As for the ownership of the files in the Web directory, that's mostly your call. I set them to be owned by whoever will need to edit them most frequently . One thing I do though is to not make them writeable by the www user though so they can't be modified by the web server itself (of course the www user must be able to read them).

A little trick I came up with to avoid having to be root to start httpd: Have httpd listen on some high port (like 6666), then setup firewall rules to redirect all incoming traffic on 80 to 6666 and all outbound traffic on 6666 to 80. The fewer root processes you have running the better, right?

BTW - Good idea to take away apache's write access to the DocumentRoot! I'll go implement that now...