3.1 Ensure the Apache Web Server Runs As a Non-Root User - id

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Although Apache is typically started with 'root' privileges in order to listen on port '80' and '443', it can and should run as another non-root user in order to perform the web services. The Apache User and Group directives are used to designate the user and group that the Apache worker processes will assume.

Rationale:

One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged user and group for the server application. The 'nobody' or 'daemon' user and group that comes default on Unix variants should NOT be used to run the web server, since the account is commonly used for other separate daemon services. Instead, an account used only by the apache software so as to not give unnecessary access to other services. Also, the identifier used for the apache user should be a unique system account. System user accounts UID numbers have lower values which are reserved for the special system accounts not used by regular users, such as discussed in User Accounts section of the CIS Red Hat benchmark. Typically, system accounts numbers range from '1-999', or '1-499' and are defined in the '/etc/login.defs' file.

As an even more secure alternative, if the Apache web server can be run on high unprivileged ports, then it is not necessary to start Apache as 'root', and all of the Apache processes may be run as the Apache specific user as described below.

Solution

Perform the following:
1. If the apache user and group do not already exist, create the account and group as a unique system account:

# groupadd -r apache
# useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. Configure the Apache user and group in the Apache configuration file 'httpd.conf':

User apache
Group apache

See Also

https://workbench.cisecurity.org/files/2381