First, a few notes:
- It is standard practice to run Apache as a different user.
- Under no circumstances should you be running Apache as root
- Running Apache as a non-root user limits the vulnerability footprint of a compromised website.
- In an Enterprise environment, changing the user Apache runs as will allow you to grant and control access to other resources based on the user account that Apache is running as. So, for instance, if you are in an Active Directory environment and have an Apache instance that needs to serve up a list of photos from another server or share, you can do so by granting the configured Apache user access to those particular servers or shares.
Since not everybody reading this will be in an Active Directory domain, I will detail how to change the Apache user in both Active Directory and on standalone Linux servers.
Create the Linux User
A local user on the Linux machine must be made, and its group membership must be that of the ‘apache’ group. Note that this step is not required if you are bound to Active Directory — in that case, proceed to the next section Active Directory Bound Server.
SSH to the webserver in question
Run the following command
useradd UsernameHere -u uidNumberHere -s /login/shell -d /home/dir/here -g apachegroupnumberhere
Example: useradd ApacheFooUser -u 11200 -s /sbin/nologin -d /var/www -g 48
Note: the apache group ID is usually 48, but in typical Linux rough-edge fashion it may be something else – peruse the /etc/passwd file to verify the group ID for apache.
Set the password for the account
Configure Apache to run as the new user
SSH to the server in question
Edit the apache config file
Modify the User to be User ApacheFooUser, or whatever user you have created for this
Save the config file
Active Directory Bound Server
If your server is already bound to Active Directory, all you have to do is
- Modify the user in /etc/httpd/httpd.conf to be the Active Directory user
- Restart Apache
Note: It goes without saying, but make sure that the Active Directory user you are running Apache as has limited rights.
I’ve seen a few oddball scenarios with this. One case was where:
- The webserver was in a somewhat isolated network, with no ldap access to Active Directory.
- The webserver had NFS access to a File Server
- The webserver was not bound to AD, but needed NFS access a file server that was bound to Active Directory
In this case, I did the following:
- Created a local Linux user with the same UID and Password as that of the Active Directory User
- Modified /etc/httpd/httpd.conf to be the new user
- Restarted Apache
In a trick dating back a very long time, if you have a local username(UID) and password that match the remote username(UID) and password (e.g. foouser@linuxhost matches ACTIVEDIRECTORY\foouser), then authentication passes through and allows resource access. The access granted is then limited to whatever groups ACTIVEDIRECTORY\foouser has been granted via ACL on shares.