views:

532

answers:

3

I want to secure a file upload directory on my server as described beautifully here, but I have one problem before I can follow these instructions. I don't know what user Apache is running as.

I've found a suggestion that you can look in httpd.conf and there will be a "User" line, but there is no such line in my httpd.conf file, so I guess Apache is running as the default user. I can't find out what that is, though.

So, my question is (are):

  • how do I find out what the default user is
  • do I need to change the default user
  • if the answer is yes and I change the default user by editing httpd.conf, is it likely to screw anything up?

Thanks!

A: 

Enter ps aux | grep apache in your shell.

The user will be listed on there. Now check whether this user has permissions to do anything on the machine. If yes create a new user and don't assign this any rights. Add the line and restart the apache server. Normally nothing should be broken but in case just revert it and look again.

neo
Thanks. Sorry, I'm a total Unix newbie. I've found the user, but, um, how do I check whether the user has permissions to do anything on the machine? And if they do have permissions to do things on the machine, why is that a bad thing?
AP257
To check if the user has some rights, it depends on how you setup the machine. If it has a custom user (i.e. apache) it probably doesn't have any rights, if it is as another user, it could have some rights. The most common are: 1. Access to important data, like your databases, configuration files, etc 2. If the user can use sudo 3. Being in the wheel group.Security also depends on your level of paranoia, so there is no single possible answer to that...
Kjir
+3  A: 
  • To find out the user, you can simply use ps aux | grep apache while it is running.
  • You don't need to, but if Apache is running as root there are security issues.
  • Thirdly, changing the user of Apache will change his rights to access some directories. You need to make sure that /var/www (or wherever you have your websites) is accessible to the new user and group.
  • On the systems I have looked at, apache was always installed using apache:apache (or similar) as user and group, so it should probably already be set like that.
Kjir
A: 

run suexec -V to determine the compile-time configuration of your suexec module. Check AP_HTTPD_USER value

I second Kjir for the other two points.

PS: note that on some distribution (e.g. SuSE) the command is called suexec2

andcoz