| Summary: | RFE: running httpd as a non-root user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joe Orton <jorton> | ||||
| Component: | httpd | Assignee: | Luboš Uhliarik <luhliari> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | carl, dwalsh, jkaluza, jorton, luhliari, pahan, walters | ||||
| Target Milestone: | --- | Keywords: | FutureFeature | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Enhancement | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Created attachment 1209666 [details]
runuser.sh
There is a small set of non-invasive things we can do to make it simpler/easier to run httpd as non-root, by removing from httpd.conf things which are - or should be - hard-coded defaults. Looking through above: - ServerRoot can probably be removed from httpd.conf (default is /etc/httpd anyway) - User & Group we could probably hard-code the default to "apache" Side note: Debian heavily "parameterize" their default apache2.conf with e.g.
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
I think that would be a backward direction for us, since it means httpd behaviour varies whether invoked as /usr/sbin/httpd or started via httpd.service - breaking principle of least surprise. When I run e.g. "httpd -V" or "httpd -M" as root I don't want that to show something completely different to what httpd is actually running as.
https://www.google.co.uk/search?q=APACHE_RUN_USER+is+undefined
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. |
Description of problem: RFE from Dan to make it possible to install httpd in such a way where users can run it easily. I am sure exactly how we should integrate this into Fedora httpd. Basically you need a slightly different /etc/httpd tree. The following seems to be sufficient from an untouched httpd install. (More work required e.g. for mod_ssl config) #!/bin/sh rm -rf $XDG_RUNTIME_DIR/httpd mkdir $XDG_RUNTIME_DIR/httpd \ $XDG_RUNTIME_DIR/httpd/logs \ $XDG_RUNTIME_DIR/httpd/conf \ $XDG_RUNTIME_DIR/httpd/conf.d ln -s /etc/httpd/conf.modules.d $XDG_RUNTIME_DIR/httpd/conf.modules.d ln -s /etc/httpd/modules $XDG_RUNTIME_DIR/httpd/modules ln -s /etc/httpd/conf/magic $XDG_RUNTIME_DIR/httpd/conf/magic sed 's/Listen 80/Listen 8080/;/^ServerRoot/d' \ < /etc/httpd/conf/httpd.conf > $XDG_RUNTIME_DIR/httpd/conf/httpd.conf echo 'PIDFile httpd.pid' >> $XDG_RUNTIME_DIR/httpd/conf/httpd.conf echo "DefaultRuntimeDir $XDG_RUNTIME_DIR/httpd" >> $XDG_RUNTIME_DIR/httpd/conf/httpd.conf exec /usr/sbin/httpd -d $XDG_RUNTIME_DIR/httpd