We help IT Professionals succeed at work.

run web server as non root at port 80

Hi all,

I am ready a book that advise to run web server as non root, example as nobody. Which I think he means to login to nobody user and run (service httpd start).  If I start httpd as nonroot I get ((13)Permission denied: make_sock: could not bind to address 0.0.0.0:80).  
If I run apache as non root user, do I get into other problem in future, like client access web get error?

How can I make nobody user to run apache, is it done under sudoers?
Comment
Watch Question

Hi there,

it is normally not possible to bind a service to a port below 1024 as non root user without
modifying the kernel .

But you could check this link http://isptools.sourceforge.net/suid-wrap.html
or search for CAP_NET_BIND_SERVICE at your favorite search engine.

--TheDoctor

Author

Commented:
I have even changed the port to 8080, after trying to start httpd this time i get error with port 443.
(13)Permission denied: make_sock: could not bind to address [::]:443

Author

Commented:
Does following means that it is recommended to run httpd as low-orevileged user?

((((((
If the child processes are run as root user processes, a potential security hole will be opened for attack by hackers. Enabling the capability to interact with a root user process maximizes a potential breach of security in the system; hence, this is not recommended. Rather, I highly recommend that you choose to run the child server processes as a very low-privileged user belonging to a very low-privileged group. In most Unix systems, the user named nobody (usually UID = -1) and the group named nogroup (usually GID = -1) are low-privileged. You should consult your /etc/group and /etc/passwd files to determine these settings.

If you plan to run the primary Web server as a nonroot (regular) user, it will not be able to change the UID and GID of child processes, because only root user processes can change the UID or GID of other processes. Therefore, if you run your primary server as the user named ironsheik, then all child processes will have the same privileges as ironsheik. Similarly, whatever group ID you have will also be the group ID for the child processes.
)))))

Author

Commented:
this is (my ps aux | grep httpd) does this mean I am running as root or apache?

root      5819  0.1  0.6 236252 11068 ?        Ss   15:02   0:00 /usr/sbin/httpd
apache    5821  0.0  0.3 236252  6500 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5822  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5823  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5824  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5825  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5826  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5827  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
apache    5828  0.0  0.3 236252  6496 ?        S    15:02   0:00 /usr/sbin/httpd
root      5831  0.0  0.0  61176   744 pts/1    S+   15:02   0:00 grep httpd
Most Valuable Expert 2015
Commented:
In your httpd.conf, you have defined apache as the user to run the httpd processes.  User 'root' must start the initial httpd process.  User 'apache' is already a non-privileged account.

What you are seeing is expected and normal.

Author

Commented:
you are right, i just found out the answer you mentioned, thanks for that.

Author

Commented:
thanks