Changing the Apache runtime User and Group controls which Unix permissions the web server inherits for reading site content and writing application data (uploads, cache, sockets). Aligning the runtime account with a deployment model can remove permission failures without making directories world-writable or granting broader access than necessary.
On Linux, the Apache parent process starts as root to bind privileged ports, then spawns worker processes that drop privileges to the configured User and Group. On Ubuntu and Debian, /etc/apache2/apache2.conf typically sets these directives via the environment variables APACHE_RUN_USER and APACHE_RUN_GROUP defined in /etc/apache2/envvars.
Running worker processes under the wrong account can expand the blast radius of a compromised application or break access to the DocumentRoot, application upload paths, and runtime directories. Keep the runtime account unprivileged, ensure required paths are readable or writable as needed, and validate configuration before restarting to avoid accidental downtime; when using PHP-FPM or other backends, application code may run under a different account than the Apache worker user.
Steps to modify Apache user and group:
- Locate the User and Group directives in the active Apache configuration file.
$ sudo grep -nE '^[[:space:]]*(User|Group)[[:space:]]' /etc/apache2/apache2.conf 115:User ${APACHE_RUN_USER} 116:Group ${APACHE_RUN_GROUP}On CentOS and RHEL, the primary config is often /etc/httpd/conf/httpd.conf.
- Locate the current APACHE_RUN_USER and APACHE_RUN_GROUP exports used by Apache on Ubuntu and Debian.
$ sudo grep -nE '^export APACHE_RUN_(USER|GROUP)=' /etc/apache2/envvars 56:export APACHE_RUN_USER=www-data 57:export APACHE_RUN_GROUP=www-data
- Open /etc/apache2/envvars in a text editor.
$ sudoedit /etc/apache2/envvars
sudoedit writes changes as root while editing with $EDITOR.
- Set APACHE_RUN_USER to the desired runtime user name.
export APACHE_RUN_USER=username
The target account must already exist, or Apache may fail to start.
Avoid root or a regular login user, since compromised web code can inherit that account’s file access.
- Set APACHE_RUN_GROUP to the desired runtime group name.
export APACHE_RUN_GROUP=groupname
A shared group can simplify deployments by granting group write access to specific application directories.
- Ensure the new user and group have correct permissions for the site’s directories.
$ sudo chown --recursive username:groupname /home/user/website/
Using chown --recursive on the wrong path can break permissions across unrelated content.
- Test the Apache configuration for errors before restarting.
$ sudo apache2ctl configtest Syntax OK
- Restart the Apache service to apply the changes.
$ sudo systemctl restart apache2
On CentOS and RHEL, the service name is usually httpd (sudo systemctl restart httpd).
- Check the Apache service status for an active state and recent log lines.
$ sudo systemctl status apache2 --no-pager ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2025-12-13 11:02:41 UTC; 6s ago Docs: https://httpd.apache.org/docs/2.4/ Main PID: 9720 (apache2) Tasks: 55 (limit: 2316) Memory: 6.4M CPU: 112ms CGroup: /system.slice/apache2.service ├─9720 /usr/sbin/apache2 -k start ├─9721 /usr/sbin/apache2 -k start ##### snipped ##### - Verify that Apache is running under the new user and group by checking the running processes.
$ ps -o user,group,pid,cmd -C apache2 USER GROUP PID CMD root root 9720 /usr/sbin/apache2 -k start username groupname 9721 /usr/sbin/apache2 -k start username groupname 9722 /usr/sbin/apache2 -k start
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.