LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-19-2006, 11:55 AM   #1
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
[Apahce] How to change process owner for Apache?


Learning as much on Apache right now on a test box, before I deploy it as a webserver to the world.

Anyways, I've noticed that when Apache run that the parent process is Root and the child processes are nobody

Code:
cmmiller@probot:/var/www/htdocs/manual$ ps aux | grep httpd
root      2756  0.0  0.1  12240   252 ?        Ss   Nov12   0:00 /usr/sbin/httpd
nobody    2761  0.0  0.1  12364   384 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2762  0.0  0.1  12392   388 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2763  0.0  0.1  12348   416 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2764  0.0  0.1  12240   360 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2765  0.0  0.1  12392   372 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    2904  0.0  0.1  12392   368 ?        S    Nov12   0:00 /usr/sbin/httpd
nobody    4402  0.0  0.1  12364   428 ?        S    Nov13   0:00 /usr/sbin/httpd
cmmiller 13386  0.0  0.2   1676   616 pts/2    S+   04:33   0:00 grep httpd
This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.

Also under /etc/apache/httpd.conf, Apache is setup with User and Group set to nobody

Code:

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#    suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 60000;
#  don't use Group "#-1" on these systems!
#
User nobody
Group nobody
So I've looked thru the security links on this forum

http://www.linuxquestions.org/questi...threadid=45261

And have found a URL that helps change all of this:

http://www.securityfocus.com/infocus/1694

1. The following commands creates an Apache group and user, but I don't understand all of the flags, can someone please explain?

Code:
pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
2. If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?

thanks
 
Old 11-20-2006, 02:54 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I've noticed that when Apache run that the parent process is Root and the child processes are nobody (..) This is a possible security threat in that running the parent process as root, may allow an attacker root access to a machine.
By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.


I don't understand all of the flags
Shouldn't you first "man groupadd; man useradd" and *then* ask?


If after running this, do I have to modify /etc/apache/httpd.conf to reflect the new Apache group/users?
Yes.
 
Old 11-20-2006, 09:58 PM   #3
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420

Original Poster
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by unSpawn

By design the httpd parent runs as root account user. It is not a risk as only the children handle network connections. Think privilege separation.
I never heard of privilege separation...Wikipedia has an entry on the topic:

http://en.wikipedia.org/wiki/Privilege_separation


Quote:
Originally Posted by unSpawn

Shouldn't you first "man groupadd; man useradd" and *then* ask?
Your right, this answers some questions, but then creates more questions...

-c for Comment, but why? I don't see where this is going?

-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?

-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?

-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...I don't get it...


I did try the example and now can show this off

Code:
cmmiller@ladytron:~$ ps aux | grep httpd
root      7335  0.0  0.3   4248  1768 ?        Ss   20:15   0:00 ./httpd start
apache    7336  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7337  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7338  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7339  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
apache    7340  0.0  0.3   4248  1768 ?        S    20:15   0:00 ./httpd start
cmmiller  7402  0.0  0.1   1792   600 pts/3    R+   20:24   0:00 grep httpd
Much better!!!
 
Old 11-21-2006, 04:05 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I never heard of privilege separation.
The phrase "drop privileges" maybe? The daemon starts with root account privileges since on regular boxen only root is allowed to bind to ports < 1024.


-d is for creating a directory, but the example goes to /dev/null, so are we creating a dummy user called Apache?
-g for group, does this point back to the group that for apache that I created and now shows under /etc/group?
-s is for a shell, like bash, zsh, csh...but this example points to /sbin/nologin...

You've created an inert account. Home can be set to anything that's useful, the group should match Apache's group and the shell shows the "user" can't login. On my boxen -d is set to /var/www and the UID is < UID_MIN (/etc/login.defs) making it a system account.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to determine who the process' owner* is? balteo Linux - General 3 04-20-2013 05:40 AM
Change owner arubin Linux - Newbie 3 04-30-2004 12:23 PM
[APACHE] change upload owner Creak Linux - Software 0 03-14-2004 05:59 PM
Change owner juno Linux - General 3 01-08-2003 07:03 AM
apache, process owner, and rsync/ssh question Kruel Linux - Networking 0 03-01-2002 12:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration