rawandnet
asked on
run web server as non root at port 80
Hi all,
I am ready a book that advise to run web server as non root, example as nobody. Which I think he means to login to nobody user and run (service httpd start). If I start httpd as nonroot I get ((13)Permission denied: make_sock: could not bind to address 0.0.0.0:80).
If I run apache as non root user, do I get into other problem in future, like client access web get error?
How can I make nobody user to run apache, is it done under sudoers?
I am ready a book that advise to run web server as non root, example as nobody. Which I think he means to login to nobody user and run (service httpd start). If I start httpd as nonroot I get ((13)Permission denied: make_sock: could not bind to address 0.0.0.0:80).
If I run apache as non root user, do I get into other problem in future, like client access web get error?
How can I make nobody user to run apache, is it done under sudoers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does following means that it is recommended to run httpd as low-orevileged user?
((((((
If the child processes are run as root user processes, a potential security hole will be opened for attack by hackers. Enabling the capability to interact with a root user process maximizes a potential breach of security in the system; hence, this is not recommended. Rather, I highly recommend that you choose to run the child server processes as a very low-privileged user belonging to a very low-privileged group. In most Unix systems, the user named nobody (usually UID = -1) and the group named nogroup (usually GID = -1) are low-privileged. You should consult your /etc/group and /etc/passwd files to determine these settings.
If you plan to run the primary Web server as a nonroot (regular) user, it will not be able to change the UID and GID of child processes, because only root user processes can change the UID or GID of other processes. Therefore, if you run your primary server as the user named ironsheik, then all child processes will have the same privileges as ironsheik. Similarly, whatever group ID you have will also be the group ID for the child processes.
)))))
((((((
If the child processes are run as root user processes, a potential security hole will be opened for attack by hackers. Enabling the capability to interact with a root user process maximizes a potential breach of security in the system; hence, this is not recommended. Rather, I highly recommend that you choose to run the child server processes as a very low-privileged user belonging to a very low-privileged group. In most Unix systems, the user named nobody (usually UID = -1) and the group named nogroup (usually GID = -1) are low-privileged. You should consult your /etc/group and /etc/passwd files to determine these settings.
If you plan to run the primary Web server as a nonroot (regular) user, it will not be able to change the UID and GID of child processes, because only root user processes can change the UID or GID of other processes. Therefore, if you run your primary server as the user named ironsheik, then all child processes will have the same privileges as ironsheik. Similarly, whatever group ID you have will also be the group ID for the child processes.
)))))
ASKER
this is (my ps aux | grep httpd) does this mean I am running as root or apache?
root 5819 0.1 0.6 236252 11068 ? Ss 15:02 0:00 /usr/sbin/httpd
apache 5821 0.0 0.3 236252 6500 ? S 15:02 0:00 /usr/sbin/httpd
apache 5822 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5823 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5824 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5825 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5826 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5827 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5828 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
root 5831 0.0 0.0 61176 744 pts/1 S+ 15:02 0:00 grep httpd
root 5819 0.1 0.6 236252 11068 ? Ss 15:02 0:00 /usr/sbin/httpd
apache 5821 0.0 0.3 236252 6500 ? S 15:02 0:00 /usr/sbin/httpd
apache 5822 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5823 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5824 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5825 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5826 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5827 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
apache 5828 0.0 0.3 236252 6496 ? S 15:02 0:00 /usr/sbin/httpd
root 5831 0.0 0.0 61176 744 pts/1 S+ 15:02 0:00 grep httpd
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you are right, i just found out the answer you mentioned, thanks for that.
ASKER
thanks
ASKER
(13)Permission denied: make_sock: could not bind to address [::]:443