Run Apache as Different User

First, a few notes:

  • It is standard practice to run Apache as a different user.
  • Under no circumstances should you be running Apache as root
  • Running Apache as a non-root user limits the vulnerability footprint of a compromised website.
  • In an Enterprise environment, changing the user Apache runs as will allow you to grant and control access to other resources based on the user account that Apache is running as. So, for instance, if you are in an Active Directory environment and have an Apache instance that needs to serve up a list of photos from another server or share, you can do so by granting the configured Apache user access to those particular servers or shares.

Since not everybody reading this will be in an Active Directory domain, I will detail how to change the Apache user in both Active Directory and on standalone Linux servers.

Standalone Server

Create the Linux User

A local user on the Linux machine must be made, and its group membership must be that of the ‘apache’ group. Note that this step is not required if you are bound to Active Directory — in that case, proceed to the next section Active Directory Bound Server.

  •  SSH to the webserver in question
  •  Run the following command
    useradd UsernameHere -u uidNumberHere -s /login/shell -d /home/dir/here -g apachegroupnumberhere
  • Example: useradd ApacheFooUser -u 11200 -s /sbin/nologin -d /var/www -g 48
  • Note: the apache group ID is usually 48, but in typical Linux rough-edge fashion it may be something else – peruse the /etc/passwd file to verify the group ID for apache.
  • Set the password for the account

    passwd ApacheFooUser

Configure Apache to run as the new user

  • SSH to the server in question
  • Edit the apache config file

    vim /etc/httpd/conf/httpd.conf
  • Modify the User to be User ApacheFooUser, or whatever user you have created for this
  • Save the config file

Active Directory Bound Server

If your server is already bound to Active Directory, all you have to do is

  • Modify the user in /etc/httpd/httpd.conf to be the Active Directory user
  • Restart Apache

Note: It goes without saying, but make sure that the Active Directory user you are running Apache as has limited rights.

Other Scenarios

I’ve seen a few oddball scenarios with this. One case was where:

  • The webserver was in a somewhat isolated network, with no ldap access to Active Directory.
  • The webserver had NFS access to a File Server
  • The webserver was not bound to AD, but needed NFS access a file server that was bound to  Active Directory

In this case, I did the following:

  • Created a local Linux user with the same UID and Password as that of the Active Directory User
  • Modified /etc/httpd/httpd.conf to be the new user
  • Restarted Apache

In a trick dating back a very long time, if you have a local username(UID) and password that match the remote username(UID) and password (e.g. foouser@linuxhost matches ACTIVEDIRECTORY\foouser), then authentication passes through and allows resource access. The access granted is then limited to whatever groups ACTIVEDIRECTORY\foouser has been granted via ACL on shares.

(Visited 3,130 times, 91 visits today)

Leave a Comment

Your email address will not be published. Required fields are marked *