i was told that chrooting that user might also be a good idea. what do you think?
E On 14 September 2016 at 23:49, Richard <lists-apa...@listmail.innovate.net> wrote: > > > > > Date: Wednesday, September 14, 2016 17:37:36 -0400 > > From: Tom Hammond <tomino...@gmail.com> > > > >> From: Richard > >> Sent: Wednesday, September 14, 2016 5:06 PM > >> > >>> Date: Wednesday, September 14, 2016 08:16:32 -0400 > >>> From: Tom Hammond <tomino...@gmail.com> > >>> > >>> I have an Apache 2.2x server and would like to harden security so > >>> that hackers can't get in easily to the Apache webserver. One > >>> suggestion is to change the user/group for Apache to a > >>> non-privileged account. > >>> > >>> Currently the user "fpp" is the default user for Apache which has > >>> access to the operating system via sudo commands. > >>> > >>> I entered these commands to create a non-privileged account: > >>> sudo groupadd http-web > >>> sudo useradd -d /opt/fpp/www/ -g http-web http-web > >>> > >>> I then edited /etc/apache2/envvars to change these lines: > >>> export APACHE_RUN_USER=http-web > >>> > >>> export APACHE_RUN_GROUP=http-web > >>> > >>> I also ran this command to change user/group permissions on this > >>> folder: sudo chown -R http-web:http-web /var/lock/apache2/ sudo > >>> chown -R http-web:http-web /opt/fpp/www > >>> > >>> Finally, I restarted the Apache service with this command: > >>> sudo service apache2 restart > >>> > >>> When I try to access the website on this server, I receive the > >>> following message: > >>> > >>> Forbidden: You don't have permission to access / on this server. > >>> > >>> I've been scouring the Internet trying to figure out how to switch > >>> the default "fpp" Apache user to a non-privileged account and > >>> can't figure it out. Can someone shed some light on this? > >> > >> > >> > >> There's nothing about the "apache" user/group that inherently makes > >> it privileged. It's just a standard user/group that the apache > >> server (generally) runs as. > >> > >> What you do want to make certain of is that your DocumentRoot is > >> not owned by the user/group that the webserver is running as, and > >> that it is not writable by that user/group. > >> > >> The webserver does need read access to the files (and execute to > >> directories) under the DocumentRoot. > >> > > > > > > Thanks for the advice! If I understand you, the user/group that the > > webserver is running as needs to have read access on files and > > execute on directories, but at the same time not be an "owner" of > > these files & directories. Is that correct? > > > > > Correct. And, as well, that user/group should not have write access > to the files/directories under the DocumentRoot. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
