Hi experts,
I want to run HTTP server on port 80, I learn from somewhere that it MUST not be run as root for security reason, how to do that?
Thank you in advance!
Hi.
(This is from RedHat, but hope it applied to you too).
Extract from httpd.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User apache
Group apache
Hi, scottn, thanks for your quick reply.
I am using Nginx, how to do this in Nginx?
Hi.
I know absolutely nothing about nginx, sorry.
So I did what I normally do... hit google 
Are you using Nginx just, or with Apache?
Do you have a file /usr/local/nginx/conf/nginx.conf
If so, try changing the user there. If with Apache, try it in /etc/httpd/conf/httpd.conf.
Hi, scottn, thanks for you reply.
I have the configuration file you mentioned, adding user and group there didn't help.
After adding user and group in nginx.conf, child processes forked by the master process have the non-root user(which I specified in nginx.conf) associated. but the master process is still run as root.
I have googled around for quite a while, and I found some info that say one can use iptable to redirect traffic coming to the privileged ports(<1024) to higher ports, but we don't use firewall on the server, so this seems not a viable solution.
And some say that one can use setuid(chmod +s /usr/local/nginx/sbin/nginx), and then run nginx as a non-root user. Yes, I can run nginx in this case using a non-root user, but the master process is still owned by root.
It's really frustrating...
Any more help?
apache cannot be made to drop privileges in this fashion, so if you don't want to use redirection you're stuck.
Unprivileged user (non-root) cannot run a process that is listening on port below 1024. That's why the nignx's master process must have root privileges.
Short answer to your question is: you don't.
Sure it can. Unprivileged programs can't open ports below 1024, but they can sure use them once they have them. If apache had the programming for it, it could open the port as root, then switch to an unprivileged user and continue to use the network socket. There's a few pitfalls in this however -- your logfiles may end up owned by root and give you 'permission denied' when apache tries to log anything, etc. This and other reasons may be why apache doesn't.
Therefore, you cannot run a process as an unprivileged user and make it listen on ports below 1024.
BTW, lighttpd drops the privileges after opening the socket. But, as Corona688 said, you have to set the right permissions to it's log files.
I choose to give up finding solution to this problem.
Hope this issue be addressed at the kernel level in the future.
That's not too likely given there's already user-level(if apache would just implement it) and firewall-level solutions.
I'm not following you.
Apache starts as a priv user but all subsequent Apache processes have UIDs based on the conf file as mentioned by scottn here.
Apache works fine as is... so I am not sure what "if apache would just implement it" means....
The best solution for you problem is using suPHP
Visit: _http://www.suphp.org/Home.html
If your ask is how to allow a user to start/stop the webserver without having root / sudo access you can achieve this by having a C program perform the stop/start/restart. The C program would have to be root owned with a suid bit set. To mitigate risk of anyone stopping/starting the webserver you could perform a check within the program to ensure that the uid / guid executing the code is the only user / group authorized.
Mike
Better yet, have the file permissions do that too.