https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002597#M47743 Shalom Girish,<BR /><BR />As noted apache is usually the owner of the httpd processes.<BR /><BR />If you are thinking of changing it, note that the user id of the web server is defined in the /etc/httpd/conf/httpd.conf file.<BR /><BR />SEP Mon, 11 Sep 2006 20:17:49 GMT Steven E. Protter 2006-09-11T20:17:49Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002595#M47741 Hi,<BR /><BR />We have Apache Web Server installed on Redhat Enterprise Linux, the web server is hosting our company website.<BR /><BR />I'm new to web server services. I would like to know, how do we check on what user the web server is running.<BR /><BR />Also how do I make it secure.<BR /><BR />Thanks in advance for the responses.<BR /><BR />Regards<BR />Girish<BR /><BR /> Mon, 11 Sep 2006 16:28:44 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002595#M47741 girishb 2006-09-11T16:28:44Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002596#M47742 You can use:<BR /><BR />ps auxw |grep httpd<BR /><BR />To identify the user that runs tha httpd process.<BR /><BR />You can also check the httpd.conf for the options:<BR /><BR />User<BR />Group<BR /><BR />Normally will be set to Apache.<BR /><BR />There are a lot of books about how to secure apache. If you have lucky enough, you can find some ebooks for free. Mon, 11 Sep 2006 17:07:19 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002596#M47742 Ivan Ferreira 2006-09-11T17:07:19Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002597#M47743 Shalom Girish,<BR /><BR />As noted apache is usually the owner of the httpd processes.<BR /><BR />If you are thinking of changing it, note that the user id of the web server is defined in the /etc/httpd/conf/httpd.conf file.<BR /><BR />SEP Mon, 11 Sep 2006 20:17:49 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002597#M47743 Steven E. Protter 2006-09-11T20:17:49Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002598#M47744 <BR />And as for Apache hardening - it's not so trivial, if you take into account dynamic sites with PHP/DB and so on.<BR />But for start:<BR />RHEL manual <A href="http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/" target="_blank">http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/</A><BR /><BR />and <BR /><A href="http://xianshield.org/guides/apache2.0guide.html" target="_blank">http://xianshield.org/guides/apache2.0guide.html</A><BR /> Tue, 12 Sep 2006 02:29:58 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002598#M47744 Vitaly Karasik_1 2006-09-12T02:29:58Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002599#M47745 Thanks folks for the response. <BR /><BR />I found the webserver is being run by user "nobody" . I hope it to be safe.<BR /><BR /> Tue, 12 Sep 2006 07:20:43 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002599#M47745 girishb 2006-09-12T07:20:43Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002600#M47746 Some basic points to making Apache secure:<BR /><BR />* Most of Apache's functionality is split into different modules. Usually the default configuration includes modules you don't need in your specific situation. Disable the modules you don't need: it makes your configuration simpler to handle, and reducing the amount of running code will also reduce the possibility of security holes.<BR /><BR />* Know where Apache (and the scripts and/or CGI programs) needs to be able to write. Then keep the file permissions strict, so that Apache can write to only those files and directories it is required to write, and nowhere else.<BR /><BR />* If you create scripts to process input from users, *always* assume the user's input is designed with a hostile intent to cause malfunctions in your script until you have checked it for correctness. Tue, 12 Sep 2006 08:10:00 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002600#M47746 Matti_Kurkela 2006-09-12T08:10:00Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002601#M47747 n typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. Wed, 13 Sep 2006 13:28:07 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002601#M47747 George Liu_4 2006-09-13T13:28:07Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002602#M47748 Thanks all for the reply. Wed, 13 Sep 2006 17:10:59 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002602#M47748 girishb 2006-09-13T17:10:59Z https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002603#M47749 Thanks folks. Thu, 14 Sep 2006 15:13:37 GMT https://community.hpe.com/t5/operating-system-linux/apache-user-check/m-p/5002603#M47749 girishb 2006-09-14T15:13:37Z