3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache'

Information

Although Apache is typically started with root privileges in order to listen on port '80' and '443', it can and should run as another non-root user in order to perform the web services. The Apache User and Group directives are used to designate the user and group to be used.

Rationale:

One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged user and group for the server application. The 'nobody' or 'daemon' user and group that come default on Unix variants should NOT be used to run the web server because the account is commonly used for other separate daemon services. Instead, an account should be used only by the Apache software so as to not give unnecessary access to other services. Also, the user used for the Apache user should be a unique value between '1' and '499', as these lower values are reserved for the special system accounts not used by regular users, as discussed in the User Accounts section of the CIS Red Hat benchmark. As an even more secure alternative, if the Apache web server can be run on high unprivileged ports, it is not necessary to start Apache as root, and all the Apache processes may be run as the Apache specific user, as described below.

Solution

Perform the following:
1. If the Apache user and group do not already exist, create the account and group as a unique system account:

# groupadd -r apache
# useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. Configure the Apache user and group in the Apache configuration file 'httpd.conf':

User apache
Group apache

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|18, CSCv7|14.6

Plugin: Unix

Control ID: 170df1ffb485eb381a8ae8703d6863468fda7466905f95c382e303ba1621629d