webgaha
By:
webgaha

How to Run Apache as separate User and Group on Ubuntu 16.04?

November 25, 2017 205 views
Security Apache

How to Run Apache as separate User and Groupon Ubuntu 16.04 for security?

2 Answers

Apache should be run as www-data, which is a user that only apache runs under.

It depends a lot on your setup, but you can have different apps run as different users listening on localhost ports and then proxy to them from your "main" apache, and you can run your fcgi workers as a different user but it really depends on which applications you're running and how you're running them.

Hm, so this tip to Run Apache as separate User and Group is an old procedure because today the apache is already coming running as separate User and Group, right?

  • "mostly".

    The point of running stuff as different users is to limit the impact of someone taking control of the software via bugs/vulnerabilities. If everything runs as the same user, breaking in is easy.

    If you're just running apache, serving static files and things, www-data is enough.

    If you have a whole bundle of applications also running in apache (in modphp, modperl etc) you end up with lots of your own, custom, internet-facing code running as www-data, which gives the bad guys more of a chances to gain access to that user, and puts them in control of more stuff if they do.

    It's the Principle of least privilege and combined with a bit of compartmentalisation.

Have another answer? Share your knowledge.