How to change Apache user and group

The Apache web server relies on user and group permissions to define directory and file access. By default, many Linux distributions assign www-data, httpd, or apache as the server’s User and Group, ensuring minimal rights and improved security.

Altering these defaults accommodates unique integration scenarios, specialized workflows, or additional security models. For instance, certain environments might require custom privileges or membership in specific groups, prompting a shift away from the standard Apache user. Aligning these permissions helps the server handle requests safely and efficiently.

When adjusting the User and Group for Apache, it is important to verify that these accounts have adequate privileges for the directories they must access. Correct file ownership and permissions maintain a secure system. Providing the right foundation for file interactions is essential to stable and robust application performance.

Steps to modify Apache user and group:

Locate the User and Group directives in the Apache configuration file.

$ sudo grep -Enr "^User |^Group " /etc/{apache2,httpd}/
Password:
/etc/apache2/apache2.conf:115:User ${APACHE_RUN_USER}
/etc/apache2/apache2.conf:116:Group ${APACHE_RUN_GROUP}

Open the configuration file using a text editor.
```
$ sudo vi /etc/apache2/apache2.conf
```
Modify the User and Group values to reflect the desired user and group.
```
User username
Group groupname
```
The following example is to run it as a username called username and groupname as group. It's a security risk as an exploited script will have the user's access to the system.
Ensure that the new user and group have the correct permissions to access the necessary directories.
```
$ sudo chown --recursive username:groupname /home/user/website/
```
Related: How to change the DocumentRoot in Apache

Restart the Apache service to apply the changes.

$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
$ sudo systemctl restart httpd # CentOS and Red Hat

Verify that Apache is running under the new user and group by checking the running processes.

$ ps aux | grep apache2
root        9720  0.0  0.1   8796  4492 ?        Ss   20:52   0:00 /usr/sbin/apache2 -k start
username        9721  0.0  0.1 1216456 4884 ?        Sl   20:52   0:00 /usr/sbin/apache2 -k start
username        9722  0.0  0.1 1216456 5012 ?        Sl   20:52   0:00 /usr/sbin/apache2 -k start
username        9831  0.0  0.0   6068  1920 pts/0    S+   20:53   0:00 grep --color=auto apache2

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.