Apache as nobody

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Apache as nobody

Post by alex.barylski »

The following is a small snippet of the server I currently have setup (Debian ETCH 4.0). It's a self-managed dedciated server which I plan on moving my clients to once setup and secure.

The apache books I just read both suggest running Apache as user 'nobody' which is set in httpd.conf, easy enough, but by default it seems it's running as www-data (exluding the first because it's the parent process?).

Code: Select all

root      5421  0.0  1.1  17036  5696 ?        Ss   21:43   0:00 /usr/sbin/apache2 -k start
www-data  5423  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5424  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5425  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5426  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
www-data  5427  0.0  0.6  17036  3168 ?        S    21:43   0:00 /usr/sbin/apache2 -k start
root      5432  0.0  0.1   3432  1004 pts/0    R+   21:44   0:00 ps -aux
I assume I can lookup user 'www-root' and make it basically the same as 'nobody'? However would it not be easier to just change the Apache setting to set each child process to 'nobody'?

I have cataloged all required apache modules and made sure I read up on each to thouroughly understand them. I have removed webmin (which came as default) and have plans on using SFTP. Is there *any* reason I would ever need to run FTPd as root or should it be my normal login as well?

Cheers :)
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Just to add. Found some articles, it appears as though apache2 (Debian ETCH) changes the way Apache is typically setup, www-data seems to be done for security, so if your mailserver, etc also run as nobody, and Apache is ever comprimised, your mail server doesn't get taken advantage of.

That was kind of confusing...they way my books say one thing and Debian does another :P

Cheers :)
Post Reply