
Generally Apache2 or HTTPD service is started by the superuser root account on any Linux distribution. However on a specific instance or requirement you may need to start the Apache Web Server by a non-root or normal user account. Refer to the solution section for more information.
Topic
- How to start Apache Web server by a non-root user account?
- Start Apache service by a non-root user account.
- How to start Apache HTTPD with non-root account privileges?
apt
- Linux
- Apache2
- HTTPD
- Centos 7
- Ubuntu
- Debian
Solution
There are many ways to start/stop Apache Web Server by a non-root user. In this article, we’ll fulfill this requirement with 5 methods. test is the user account has been mentioned at several places in this article to start Apace service.
- Sudo privileges
- Polkit privilege
- Systemd custom Unit
- Linux capabilities
- SetUID bit
Method 1: Sudo privileges
- Provide the non-root account sudo privileges to start the service. For example test user wants to start Apache service.
- Add the following configuration to /etc/sudoers file. In case your user is different, replace the test user with the user account name of your choice.
test ALL=(ALL) NOPASSWD: /usr/bin/systemctl start httpd, /usr/bin/systemctl stop httpd, /usr/bin/systemctl reload httpd, /usr/bin/systemctl status httpd
- Now login to test user account and execute the following commands with sudo prefix to manage service.
Start service
$ sudo /usr/bin/systemctl start httpd
Stop Service
$ sudo /usr/bin/systemctl stop httpd
Reload Service
$ sudo /usr/bin/systemctl reload httpd
Check service status
$ sudo /usr/bin/systemctl status httpd
Method 2: Polkit privilege
- Add the test user account to wheel group.
- Polkit will authorize the test user account to start any system service or perform any system activity with pkexec prefix.
- Execute the following commands to start or manage service after adding the test user to wheel group
$ pkexec systemctl start httpd
$ pkexec systemctl stop httpd
Method 3: Systemd custom Unit
- In this method, we’ll start the service during system startup by test user account with Systemd.
- Create a systemd Unit file /etc/systemd/system/httpd.service as per following example.
Replace the test user and group with the user of your choice
# cat /etc/systemd/system/httpd.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
KillSignal=SIGCONT
PrivateTmp=true
USER=test
GROUP=test
- Reload systemd
# systemctl daemon-reload
-
Enable the service Unit to start during reboot
# systemctl enable httpd
-
You can now reboot the system and check service status.
Method 4: Linux capabilities
Refer to the following two articles to get detailed understanding of Linux capabilities.
-
In this method we’ll start and stop Apache service by the test user account.
-
In /etc/httpd/conf/httpd.conf Apache configuration file replace apache user and group with the test user and group.
User test
Group test
- Modify /usr/lib/tmpfiles.d/httpd.conf configuration file and replace apache and root user with test user account.
d /run/httpd 710 test test
d /run/httpd/htcacheclean 700 test test
- Change user ownership of /var/log/httpd to test user account.
# chown -R test /var/log/httpd
- Set cap_net_bind_service capability to /usr/sbin/httpd apache binary from root login.
# setcap cap_net_bind_service=+epi /usr/sbin/httpd
Then execute below command for validation.
# getcap /usr/sbin/httpd
/usr/sbin/httpd = cap_net_bind_service+eip
- Now start HTTPD service from test user login
Start Service
[test@centos-testsrv ~]$ httpd -k start
[test@centos-testsrv ~]$ ps -ef | grep httpd
test 3691 1 0 00:27 ? 00:00:00 httpd -k start
test 3692 3691 0 00:27 ? 00:00:00 httpd -k start
test 3693 3691 0 00:27 ? 00:00:00 httpd -k start
test 3694 3691 0 00:27 ? 00:00:00 httpd -k start
test 3695 3691 0 00:27 ? 00:00:00 httpd -k start
test 3696 3691 0 00:27 ? 00:00:00 httpd -k start
Stop Service
# httpd -k stop
Method 5: SetUID bit
Refer to the following two articles to get detailed understanding of Linux capabilities and SetUID bit.
-
In this method we’ll start and stop Apache service by the test user account.
-
In /etc/httpd/conf/httpd.conf Apache configuration file replace apache user and group with the test user and group.
User test
Group test
- Modify /usr/lib/tmpfiles.d/httpd.conf configuration file and replace apache and root user with test user account.
d /run/httpd 710 test test
d /run/httpd/htcacheclean 700 test test
- Change user ownership of /var/log/httpd to test user account.
# chown -R test /var/log/httpd
- Apply SetUID bit permission to /usr/sbin/httpd binary.
# chmod u+s /usr/sbin/httpd
# ls -l /usr/sbin/httpd
-rwsr-xr-x. 1 root root 523680 Aug 8 17:12 /usr/sbin/httpd
- Now start HTTPD service from test user login
Start Service
[test@centos-testsrv ~]$ httpd -k start
[test@centos-testsrv ~]$ ps -ef | grep httpd
root 3745 1 0 00:37 ? 00:00:00 httpd -k start
test 3746 3745 0 00:37 ? 00:00:00 httpd -k start
test 3747 3745 0 00:37 ? 00:00:00 httpd -k start
test 3748 3745 0 00:37 ? 00:00:00 httpd -k start
test 3749 3745 0 00:37 ? 00:00:00 httpd -k start
test 3750 3745 0 00:37 ? 00:00:00 httpd -k start
Stop Service
# httpd -k stop