Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Running apache as unprivileged user (no root process)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
vdboor
Guru
Guru


Joined: 03 Dec 2003
Posts: 592
Location: The Netherlands

PostPosted: Tue Jun 22, 2004 9:25 am    Post subject: HOWTO: Running apache as unprivileged user (no root process) Reply with quote

Hi,

Some of my classmates told how I could run apache as normal user. In his opinion, apache has a lot of security holes. (maybe less then IIS, but it's still too much) In a normal setup, apache runs a root, and forks child processes that run under a less-priveleged user, commenly "apache". This short tutorial explains how to get rid of the main root-process, because it's the process that makes your server vulnurable.

There is one drawback: you need to run apache behind a NAT/router, because apache needs to listen at a different, higher, port. ..however if you care about security you don't run a webserver at your router ;) ..a DMZ is the best solution.


The things you need to change are:

  • The port apache listens on. A normal user can only listen on port numbers higher then 1024. For example, you could use 10080 for normal HTTP. and 10443 for https. Search for the keyword "Listen" in the apache config files. They are located in /etc/apache2/conf/ under gentoo.
  • In your router/NAT settings you map the external port (80) to the internal 10080 port!

  • Open /etc/init.d/apache2 in a text editor, and add the following to the start() { .... } function:
    Code:

        chgrp apache /var/log/apache2/
        chmod g+w    /var/log/apache2/
        chgrp apache /var/run/
        chmod  +t    /var/run/
        chmod g+w    /var/run/

    At a reboot, some permissions will be reset, and that's why I set them in the init.d script. We give the user apache permission to write the log files in /var/log/apache2/, and access to create a pid file in /var/run/.

    Also add this option to the "start-stop-daemon" command:
    Code:
     --chuid apache
    This runs the daemon as the user "apache". If you use a different user in your apache config files, replace "apache" in the previous commands with that particular user.

  • Try to start the server. Also confirm that the server is running, because the init script doesn't always notice that apache stops because of a permissions problem. You can use one of these commands for this:

    Code:

        ps auxf
        netstat -lnpt

You should see a tree of apache processes, and the main process should run under the user "apache" as well.


If apache doesn't start at once you can try one of the following things:

  • Disable SSL temporary in /etc/conf.d/apache2. I had some problems with SSL-keys being generated in a folder where 'apache' didn't have permissions
  • Try to run the apache server manually; give the use 'apache' a shell in /etc/passwd, and use "su - apache" as root to open a shell. Then one of of the following commands:
    Code:
        apache2ctl -k start
        strace -e trace=open -f   apache2ctl -k start

    The second one reveals what files apache is trying to open, and might give a clue about where you forgot a permission.


Hope this helps ;)
_________________
The best way to accelerate a windows server is by 9.81M/S²
Linux user #311670 and Yet Another Perl Programmer

[ screenies | Coding on KMess ]
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Thu Jun 24, 2004 1:31 pm    Post subject: Reply with quote

Additional Note: To redirect requests that arrive on port 80 and should be redirected to port 10080 you can use the following command:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i lo -j DNAT --to <your-ip-address-here>:10080

_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
SnEptUne
l33t
l33t


Joined: 23 Aug 2004
Posts: 653

PostPosted: Tue Nov 02, 2004 3:25 am    Post subject: Reply with quote

Although chrooting apache would give extra security, I believe your setup increases security risk. You have made the various log files accessible to user apache. A cracker could utilizes this permission to edit the log and even retreive sensitive information from the logs. Additionally, for chrooting to work, various ssl certifates must be made readable to user apache. Wouldn't it be better to create a new user account for the apache parent?
_________________
"There will be more joy in heaven over the tear-bathed face of a repentant sinner than over the white robes of a hundred just men." (LM, 114)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum