3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache'

Information

Although Apache is typically started with root privileges in order to listen on port 80 and 443, it can and should run as another non-root user in order to perform the web services. The Apache User and Group directives are used to designate the user and group that the Apache worker processes will assume.

Rationale:

One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged user and group for the server application. The nobody or daemon user and group that comes default on Unix variants should NOT be used to run the web server, since the account is commonly used for other separate daemon services. Instead, an account used only by the apache software so as to not give unnecessary access to other services. Also, the identifier used for the apache user should be a unique system account. System user accounts UID numbers have lower values which are reserved for the special system accounts not used by regular users, such as discussed in User Accounts section of the CIS Red Hat benchmark. Typically, system accounts numbers range from 1-999, or 1-499 and are defined in the /etc/login.defs file.

As an even more secure alternative, if the Apache web server can be run on high unprivileged ports, then it is not necessary to start Apache as root, and all of the Apache processes may be run as the Apache specific user as described below.

Solution

Perform the following:

If the apache user and group do not already exist, create the account and group as a unique system account:

# groupadd -r apache
# useradd apache -r -g apache -d /var/www -s /sbin/nologin

Configure the Apache user and group in the Apache configuration file httpd.conf:

User apache
Group apache

Default Value:

The default Apache user and group are configured as daemon.

See Also

https://workbench.cisecurity.org/files/4548