check strings in the apache config directory /etc/apache (debian) grep www- /etc/apache2/apache2.conf * -R or grep http /etc/apache2/apache2.conf * -R
check strings content old users and change to new user : http-web check apache process run: ps -ef |grep -i apache or ps -ef |grep -i http PS: Change index.php, for example or .httpaccess in the root directory you website for you new group permission 775... 2016-09-14 18:37 GMT-03:00 Tom Hammond <tomino...@gmail.com>: > Hi Richard, > > Thanks for the advice! If I understand you, the user/group that the > webserver is running as needs to have read access on files and execute on > directories, but at the same time not be an "owner" of these files & > directories. Is that correct? > > Thanks again, > Tom > > > -----Original Message----- > From: Richard [mailto:lists-apa...@listmail.innovate.net] > Sent: Wednesday, September 14, 2016 5:06 PM > To: users@httpd.apache.org > Subject: Re: [users@httpd] Change user for Apache web server to a > non-privileged user? > > > > > Date: Wednesday, September 14, 2016 08:16:32 -0400 > > From: Tom Hammond <tomino...@gmail.com> > > > > I have an Apache 2.2x server and would like to harden security so that > > hackers can't get in easily to the Apache webserver. One suggestion > > is to change the user/group for Apache to a non-privileged account. > > > > Currently the user "fpp" is the default user for Apache which has > > access to the operating system via sudo commands. > > > > I entered these commands to create a non-privileged account: > > sudo groupadd http-web > > sudo useradd -d /opt/fpp/www/ -g http-web http-web > > > > I then edited /etc/apache2/envvars to change these lines: > > export APACHE_RUN_USER=http-web > > > > export APACHE_RUN_GROUP=http-web > > > > I also ran this command to change user/group permissions on this > > folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo chown > > -R http-web:http-web /opt/fpp/www > > > > Finally, I restarted the Apache service with this command: > > sudo service apache2 restart > > > > When I try to access the website on this server, I receive the > > following message: > > > > Forbidden: You don't have permission to access / on this server. > > > > I've been scouring the Internet trying to figure out how to switch the > > default "fpp" Apache user to a non-privileged account and can't figure > > it out. Can someone shed some light on this? > > There's nothing about the "apache" user/group that inherently makes it > privileged. It's just a standard user/group that the apache server > (generally) runs as. > > What you do want to make certain of is that your DocumentRoot is not owned > by the user/group that the webserver is running as, and that it is not > writable by that user/group. > > The webserver does need read access to the files (and execute to > directories) under the DocumentRoot. > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Atenciosamente, Rodrigo da Silva Cunha
