Run Apache httpd server from a non-root user privilege

Apache

Generally Apache2 or HTTPD service is started by the superuser root account on any Linux distribution. However on a specific instance or requirement you may need to start the Apache Web Server by a non-root or normal user account. Refer to the solution section for more information.

Topic

  • How to start Apache Web server by a non-root user account?
  • Start Apache service by a non-root user account.
  • How to start Apache HTTPD with non-root account privileges?

apt

  • Linux
  • Apache2
  • HTTPD
  • Centos 7
  • Ubuntu
  • Debian

Solution


There are many ways to start/stop Apache Web Server by a non-root user. In this article, we’ll fulfill this requirement with 5 methods. test is the user account has been mentioned at several places in this article to start Apace service.

  1. Sudo privileges
  2. Polkit privilege
  3. Systemd custom Unit
  4. Linux capabilities
  5. SetUID bit

Method 1: Sudo privileges

  • Provide the non-root account sudo privileges to start the service. For example test user wants to start Apache service.
  • Add the following configuration to /etc/sudoers file. In case your user is different, replace the test user with the user account name of your choice.
test        ALL=(ALL)       NOPASSWD: /usr/bin/systemctl start httpd, /usr/bin/systemctl stop httpd, /usr/bin/systemctl reload httpd, /usr/bin/systemctl status httpd

  • Now login to test user account and execute the following commands with sudo prefix to manage service.
Start service
$ sudo /usr/bin/systemctl start httpd
Stop Service
$ sudo /usr/bin/systemctl stop httpd
Reload Service
$ sudo /usr/bin/systemctl reload httpd
Check service status
$ sudo  /usr/bin/systemctl status httpd


Method 2: Polkit privilege

  • Add the test user account to wheel group.
  • Polkit will authorize the test user account to start any system service or perform any system activity with pkexec prefix.
  • Execute the following commands to start or manage service after adding the test user to wheel group
$ pkexec systemctl start httpd
$ pkexec systemctl stop httpd


Method 3: Systemd custom Unit

  • In this method, we’ll start the service during system startup by test user account with Systemd.
  • Create a systemd Unit file /etc/systemd/system/httpd.service as per following example.
Replace the test user and group with the user of your choice 

# cat /etc/systemd/system/httpd.service

[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
KillSignal=SIGCONT
PrivateTmp=true
USER=test
GROUP=test

  • Reload systemd
# systemctl daemon-reload

  • Enable the service Unit to start during reboot

    # systemctl enable httpd

  • You can now reboot the system and check service status.


Method 4: Linux capabilities

Refer to the following two articles to get detailed understanding of Linux capabilities.

User test
Group test

  • Modify /usr/lib/tmpfiles.d/httpd.conf configuration file and replace apache and root user with test user account.
d /run/httpd   710 test test
d /run/httpd/htcacheclean   700 test test

  • Change user ownership of /var/log/httpd to test user account.
# chown -R test /var/log/httpd

  • Set cap_net_bind_service capability to /usr/sbin/httpd apache binary from root login.
# setcap cap_net_bind_service=+epi /usr/sbin/httpd

Then execute below command for validation. 

# getcap /usr/sbin/httpd
/usr/sbin/httpd = cap_net_bind_service+eip

  • Now start HTTPD service from test user login
Start Service
[test@centos-testsrv ~]$ httpd -k start
[test@centos-testsrv ~]$ ps -ef | grep httpd
test      3691     1  0 00:27 ?        00:00:00 httpd -k start
test      3692  3691  0 00:27 ?        00:00:00 httpd -k start
test      3693  3691  0 00:27 ?        00:00:00 httpd -k start
test      3694  3691  0 00:27 ?        00:00:00 httpd -k start
test      3695  3691  0 00:27 ?        00:00:00 httpd -k start
test      3696  3691  0 00:27 ?        00:00:00 httpd -k start

Stop Service
# httpd -k stop


Method 5: SetUID bit

Refer to the following two articles to get detailed understanding of Linux capabilities and SetUID bit.

User test
Group test

  • Modify /usr/lib/tmpfiles.d/httpd.conf configuration file and replace apache and root user with test user account.
d /run/httpd   710 test test
d /run/httpd/htcacheclean   700 test test

  • Change user ownership of /var/log/httpd to test user account.
# chown -R test /var/log/httpd

  • Apply SetUID bit permission to /usr/sbin/httpd binary.
# chmod u+s /usr/sbin/httpd
# ls -l /usr/sbin/httpd
-rwsr-xr-x. 1 root root 523680 Aug  8 17:12 /usr/sbin/httpd

  • Now start HTTPD service from test user login
Start Service
[test@centos-testsrv ~]$ httpd -k start
[test@centos-testsrv ~]$ ps -ef | grep httpd
root      3745     1  0 00:37 ?        00:00:00 httpd -k start
test      3746  3745  0 00:37 ?        00:00:00 httpd -k start
test      3747  3745  0 00:37 ?        00:00:00 httpd -k start
test      3748  3745  0 00:37 ?        00:00:00 httpd -k start
test      3749  3745  0 00:37 ?        00:00:00 httpd -k start
test      3750  3745  0 00:37 ?        00:00:00 httpd -k start

Stop Service
# httpd -k stop
avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *