Hi Joshua, That is a very good insightful mail. Thanks. Please read on.
On 2/9/08, Joshua Slive <[EMAIL PROTECTED]> wrote: > On Feb 9, 2008 7:47 PM, sudhakar govindavajhala > <[EMAIL PROTECTED]> wrote: > > > > > > Hi all, > > > > I manage the Information Security of a major financial institution. > > > > How do I get Apache to run as non-root user? As you can see below, > > inspite of setting in httpd.conf, Apache is listening on port 8080 as > > root. > > > > I googled around, but could not find a way to start Apache as "apache". > > Some web pages/emails claim that Apache starts as root, and then > switches > > to user "apache". After connecting to port 8080 using telnet, I do not > see > > any new httpd process created. So, I do not trust these claims. > > Apache is a pre-forking server. It keeps a pool of processes available > to serve incoming requests and therefore doesn't need to start new > processes for each new connection. As your process listing shows, all > processes except the master (control) process are running as user > "apache", not as root. These are the processes that do the actual > serving. SG: What is a pre-forking server? How can I confirm that it is the worker threads that are serving the request and not master process. I am a little bit uneasy that the master is running as root, I am connecting to a port held by the master, and some how the worker processes are serving the requests. Since I am connecting to a port held by a master, and since master is running as root, my root account becomes vulnerable to a potential buffer overflow security problem. > > None of the docs is definitive. Why should the program start as root in > the first place? Can anyone help me? Apache normally starts as root because it needs root permission to bind to port 80. In your case, since you are using a non-privileged port, you can have the master process run as non-root as well. Yes, by su-ing to user apache, it all works fine. The reason the master process is currently running as root is because you have root privileges when you start it. If you want it to run as a different user, simply change to that userid before starting the server. (How you do that depends on your OS.) Also note, however, that you may need to change file permissions. For example, if you start the server as the "apache" user, then that user will need to be able to write to the log directory. Normally, only root needs to be able to write there. SG: Yes, I see what you mean. --Sudhakar Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
