The Apache web server, one of the most widely used web servers globally, operates under specific user and group permissions. These permissions determine which files and directories the server can access and modify, ensuring that sensitive files remain secure and inaccessible. Apache is not required and thus not configured to have any other access for security reasons, as even an exploit to a poorly written PHP or Perl script will not escalate and cause much harm to the system.

By default, Apache runs under a non-privileged user and group, often named www-data or apache, depending on the distribution. This setup minimizes potential security risks. However, there are scenarios where you might need to change the default user and group settings, such as when integrating with other software or when setting up specific permissions for web applications.

Adjusting the user and group settings in Apache is straightforward. It involves modifying the User and Group directives in the Apache configuration file.

Steps to change Apache user and group:

  1. Find User and Group directives in Apache's configuration file.
    $ sudo grep -Enr "^User |^Group " /etc/{apache2,httpd}/
    /etc/apache2/apache2.conf:115:User ${APACHE_RUN_USER}
    /etc/apache2/apache2.conf:116:Group ${APACHE_RUN_GROUP}
  2. Open Apache's configuration file using your preferred text editor.
    $ sudo vi /etc/apache2/apache2.conf
  3. Modify the values of the User and Group directives to the desired user and group that exist on your system.
    User username
    Group groupname

    The following example is to run it as a username called username and groupname as group. It's a security risk as an exploited script will have the user's access to the system.

  4. Make sure the configured user and group has the correct permission to the DocumentRoot folders of all Apache's VirtualHosts.
    $ sudo chown --recursive username:groupname /home/user/website/
  5. Restart the Apache service to apply the changes.
    $ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
    $ sudo systemctl restart httpd # CentOS and Red Hat
  6. Verify that Apache is running under the new user and group by checking the running processes.
    $ ps aux | grep apache2
    root        9720  0.0  0.1   8796  4492 ?        Ss   20:52   0:00 /usr/sbin/apache2 -k start
    username        9721  0.0  0.1 1216456 4884 ?        Sl   20:52   0:00 /usr/sbin/apache2 -k start
    username        9722  0.0  0.1 1216456 5012 ?        Sl   20:52   0:00 /usr/sbin/apache2 -k start
    username        9831  0.0  0.0   6068  1920 pts/0    S+   20:53   0:00 grep --color=auto apache2
Discuss the article:

Comment anonymously. Login not required.