Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
updating apache, openssl? Question Question
SSL: Personal Identifiable Information on Certificate? Question Question

Question

How to Run Apache as separate User and Group on Ubuntu 16.04?

Posted November 25, 2017 4.4k views
ApacheSecurity

How to Run Apache as separate User and Groupon Ubuntu 16.04 for security?

Add a comment
webgaha
By:
webgaha

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
updating apache, openssl? Question Question
SSL: Personal Identifiable Information on Certificate? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
alastairc November 25, 2017

Apache should be run as www-data, which is a user that only apache runs under.

It depends a lot on your setup, but you can have different apps run as different users listening on localhost ports and then proxy to them from your “main” apache, and you can run your fcgi workers as a different user but it really depends on which applications you’re running and how you’re running them.

Reply Report
webgaha November 25, 2017

Hm, so this tip to Run Apache as separate User and Group is an old procedure because today the apache is already coming running as separate User and Group, right?

Reply Report
  • alastairc November 26, 2017

    “mostly”.

    The point of running stuff as different users is to limit the impact of someone taking control of the software via bugs/vulnerabilities. If everything runs as the same user, breaking in is easy.

    If you’re just running apache, serving static files and things, www-data is enough.

    If you have a whole bundle of applications also running in apache (in modphp, modperl etc) you end up with lots of your own, custom, internet-facing code running as www-data, which gives the bad guys more of a chances to gain access to that user, and puts them in control of more stuff if they do.

    It’s the Principle of least privilege and combined with a bit of compartmentalisation.

    Reply Report

Related

Looking for something else?

Ask a new question Search for more help