-
Sub-task
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
False
-
None
-
False
-
-
Use the following guidelines for setting up a non-root user account for running the Apache Web Server:
- Run the Apache Web Server as a non-root user:
Although Apache is typically started with `root` privileges to listen on port `80` and `443`, it can and should run as another non-root user to perform the web services. The Apache User and Group directives are used to designate the user and group that the Apache worker processes will assume.
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged user and group for the server application. The `nobody` or `daemon` user and group that comes default on Unix variants should __not__ be used to run the web server since the account is commonly used for other separate daemon services. Instead, use an account strictly for the Apache software that does not give unnecessary access to other services.
Also, the identifier used for the apache user should be a unique system account. System user account UID numbers have lower values that are reserved for the special system accounts not used by regular users. Typically, system account numbers range from `1-999`, or `1-499` and are defined in the `/etc/login.defs` file.
As an even more secure alternative, if the Apache web server can be run on high unprivileged ports, then it is not necessary to start Apache as `root`, and all of the Apache processes may be run as the Apache-specific user.
- Give the Apache User Account an Invalid Shell:
The apache account must not be used as a regular login account, and should be assigned an invalid or `nologin` shell to ensure that the account cannot be used to log in. Service accounts such as the apache account represent a risk if they can be used to get a login shell to the system.
- Lock the Apache User Account:
The user account Apache runs under should not have a valid password and should be locked. As a defense-in-depth measure, the Apache user account should be locked to prevent logins, and to prevent a user from `su`'ing to apache using the password. In general, there should not be a need for anyone to use `su` as Apache. When there is a need, then `sudo` should be used instead, which does not require the Apache account password.
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-pipelines/tasks/phase/deployment/37-T861/
How Tos:
Apache HTTP Server: How to set up a non-root user account for running the Apache Web server
- Use the following procedures to set up a non-root user account to run Apache Web server:
1. If the apache user and group do not already exist, create the account and group as a unique system account:
# groupadd -r apache
# useradd apache -r -g apache -d /var/www -s /sbin/nologin
2. Configure the Apache user and group in the Apache configuration file `httpd.conf`:
User apache Group apache
- Change the apache account to use the nologin shell or an invalid shell such as /dev/null:
# chsh -s /sbin/nologin apache
- Use the passwd command to lock the apache account:
# passwd -l apache
