job.answiz.com
  • 4
Votes
name

Currently, top shows me that almost all httpd processes are run by nobody. "Almost" because 2 of them are run by root.

How can i make it in such a way that given i have users say: dartagnanporthosaramisathos run httpd each separately as said users?

I'm hoping to see something like this when i run top:

PID  USER      Command
1234 dartagnan /usr/local/apache/bin/httpd -k start -DSSL
12   porthos   /usr/local/apache/bin/httpd -k start -DSSL
342  aramis    /usr/local/apache/bin/httpd -k start -DSSL
214  athos     /usr/local/apache/bin/httpd -k start -DSSL 

============> This is what i currently have and what i DONT like to see:

PID  USER      Command
1234 nobody    /usr/local/apache/bin/httpd -k start -DSSL
12   nobody    /usr/local/apache/bin/httpd -k start -DSSL
342  nobody    /usr/local/apache/bin/httpd -k start -DSSL
214  nobody    /usr/local/apache/bin/httpd -k start -DSSL 
244  root      /usr/local/apache/bin/httpd -k start -DSSL 
334  root      /usr/local/apache/bin/httpd -k start -DSSL 

Apache has to run as root initially in order to bind to port 80. If you don't run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. Otherwise don't worry about root. That is the parent Apache process and does not serve any requests. It will spawn child processes and drop privileges for handling requests.

To change the Apache user set the User and Group parameters in your Apache config.

  • 2
Reply Report

The way to run httpd as a different User|Group is to change the user or group directive in the httpd.conf file.

User apache
Group apache

This though would only change the nobody in your output above to apache which I guess isn't what you want.

To have httpd run as a particular user you are going to have to create and manage a configuration file for each of them. The configuration file should specify the User and Group appropriately as well as the port the httpd process should bind to via a Listen directive. Remember only privileged users can bind to ports <1024. You can then start it like so

apachectl -f /path/to/aramis.conf -k start -DSSL

Note other httpd directives e.g. VirtualHost will likely need changing too on a per user basis.

Additionally EL variants (RHEL, CentOS Scientific Linux etc ) SELinux is involved. You will have to add the port that each instance will bind to, to the http_port_t group e.g.

semanage port -a -t http_port_t -p tcp 8888

which would allow an httpd instance to bind to port 8888.

If the users will use their home directories to serve files from then you will have to allow it with the httpd_enable_homedires SELinux boolean

 setsebool -P httpd_enable_homedirs on

The above should allow you to configure per user instances of httpd however each user will have to remember which port to use to add to their URLs e.g for aramis above

http://example.com:8888

This is all very messy. To help your users out you should configure your main httpd to listen on port 80 as usual and act as a reverse proxy to the per user instances. Then when aramis connects to e.g.

http://aramis.example.com 

the main server proxy's it aramis's instance.

You're going to have to configure the DNS and possibly other things appropriately too.

  • 4
Reply Report