top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Changing the User Which Runs Apache

+1 vote

I've tinkered with running a website using Apache on Linux for a few years now, but in my earlier days, I was a little naive and didn't pay too much attention to permissions.

Now that I'd like to host a very small site on a home server, I'm trying to take security seriously. I know I could easily use GoDaddy hosting, but this will pretty much be a static page blog that I'm sure no one will ever visit anyway. Also, it gives me the opportunity to learn.

In the past, I've always configured my virtual host to use a folder in my home directory. I've read that this is better practice, and it's always been easier than changing permissions for /var/www, but one problem with this is that the www-data user does not have permission to this folder.

I've been experimenting the last couple of days with giving ownership of /var/www to www-data and adding myself to the www-data group, but I've had a few hiccups (I'm sure I'm not doing everything correctly).

I've decided an easier route would be to keep the root web directory in my home folder, but change the user that runs Apache to myself. I've done some searching to see if this is recommended against, but really haven't been able to find too much about the issue in general.

Is this something that anyone else does on a public server? There won't be anything hosted on it that would concern me security wise, but it's always nice to know things are as secure as I can make them.

posted Aug 7, 2013 by Kumar Mitrasen

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

Do not run Apache as yourself. If it (or any application it runs as a module - like PHP if you use mod_php) is compromised, it will be able to modify your personal files.Most people run apache as www-data (or similar) in a dedicated directory.
Check out how the default configuration of apache works on Debian/Ubuntu. They run as the user www-data and have the correct permissions set on the /var/www folder. If you add yourself to the www-data group, you may need to log out and log in again for it to take effect.

answer Aug 7, 2013 by Sumit Pokharna
0 votes

Apache has to start as root so it can get permission on the socket (presumably 80). It then does an su to the uid it runs under. Could be apache but you can have anything you want. It does not need write or execute on any of the page directories just read. They could be owned by you or you might just be in the same group so you can update them.

You have a LOT of options, read the docs!

answer Aug 8, 2013 by Sanketi Garg
Similar Questions
+2 votes

I have a python web application running on apache2 deployed with mod_wsgi. The application has a thread continuously running. This thread is a ZeroMQ thread and listening to a port in loop. The application is not maintaining session. Now if I open the browser and sends a request to the apache server the data is accepted for the first time. Now when second time I send the request It shows Internal server error. When I checked the error log file for traceback, It shows the ZMQError:- The address already in use.

Does apache reloads the application on each request sent from the browser since so that the ZeroMQ thread is being created everytime and being assigned the port but since the port has already been assigned it shows error....

+1 vote

I am getting tired of my web host changing server-wide apache config settings without warning. Then I am pulling my hair out trying to figure out why my website is not quite working as it should.

Is there a way I can use .htaccess or other method to see what the config settings are? Then I could more easily deal with what has been changed.

I realize that what I put in .htaccess will overwrite what they have put in the config, but not knowing what they are doing makes it harder for me to address the changing problems.

–1 vote

Can someone suggest me the name of apache logs analyzer tool which is free and easily available.

0 votes

I am using Apache 2.2 on LE for several years now and I use intensively the virtual host mechanism (300 virtual hosts per http instance).

As soon as you start sharing resources between applications, you want to protect your platform and prevent an application from taking all the threads and cause a resource starvation for the others.

To do so i used the third party mod_qos module to limit the number of simultaneous connections per virtual hosts. Now that i intend to migrate to Apache 2.4, my first tests reveal that this module is not compatible with this version of Apache, thats also the warning that developer raised for his module.

It appears that I don't find any real alternative to substitute the mod_qos module with something else. Here are my questions :
- Can you confirm that Apache does not provide any mechanism allowing to limit the number of connection per virtual host, just to be sure that I am not missing something ?
- Why Apache doesn't provide such a functionality ? :) From my very humble user perspective, I am surprised that this is not a native functionality as it seems to me that my need is probably shared by many users. Moreover Apache provides many other complex functionalities, the one I am describing would be probably something simple to implement compared to other functionalities already available.

+2 votes

I want the images should be accessible as part of http page only not by any other mean, no clue any suggestion would have great help.