Apache start issue

rs266 · August 21, 2008, 7:35am

Hi group,

I need help to start apache in following scenario:

1) Say apache is installed on solaris OS by user 'root'.
2) An entry is there in httpd.conf that says to start apache process as user:
#User <RUN_AS_USER> is edited as
User user1
2) Now say user2 has logged and tries to start apache process. Now whosoever tries to start Apache, it should always gets start as user1.

We are only able to start apache as a 'root' user.

Thanks
rs266

Neo · August 21, 2008, 8:04am

User2 cannot start a process as User1, this would be a security violation.

You have to start the process as either User1 or root.....

otheus · August 21, 2008, 8:06am

That's correct. Only processes launched as the 'root' user may change the user to something else (Which is what Apache is trying to do with that configuration line.) In order to start Apache in such a way, you need to use something like the "sudo" package. In the sudoers configuration file, you might add a line like this:

user2   ALL=(user1) /opt/CSWApache/bin/apachectl

This says that user2 can now run (at the shell):

$ sudo -u user1 /opt/CSWApache/bin/apachectl start

rs266 · August 21, 2008, 8:07am

then what is the usage of
#User <RUN_AS_USER> in httpd.conf.

Please explain a bit details for this.

otheus · August 21, 2008, 8:14am

That's the user apache will run Apache child processes under. This only works if 'root' starts the Apache process.

indo1144 · August 21, 2008, 9:54am

The reason that directive exist, is that only the apache-processes that serve out pages run as a different user. Did you notice that one process always runs as root (when started as root)? The other child-processes run as a different user.
When there is a compromise of your system, the intruder will have the privileges of the apache-user and not root. Always make sure that your apache-user has no more rights than it needs...

pupp · August 21, 2008, 11:17am

it might be a little easier to understand with this:
httpd.conf

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www

now each child process is user www

# ps -eaf | grep httpd
     www  3903  3900   0   Aug 11 ?           0:00 /usr/local/apache2/bin/httpd -k start
     www  4520  3901   0   Aug 19 ?           0:52 /usr/local/apache2/bin/httpd -k start
     www  4519  3901   0   Aug 19 ?           0:59 /usr/local/apache2/bin/httpd -k start
     www  4597  3901   0 21:26:11 ?           0:11 /usr/local/apache2/bin/httpd -k start
     www  3909  3900   0   Aug 11 ?           0:00 /usr/local/apache2/bin/httpd -k start
     www  3911  3900   0   Aug 11 ?           0:00 /usr/local/apache2/bin/httpd -k start
    root  3901     1   0   Aug 11 ?           1:41 /usr/local/apache2/bin/httpd -k start
     www  4512  3901   0   Aug 19 ?           0:46 /usr/local/apache2/bin/httpd -k start