Finding out what user Apache is running as?
why has this question been downvoted? Yes, it’s been updated as it has been answered elswhere, but I see no need to down vote? It’s a perfectly good question? Perhaps our down voter would care to add a constructive comment regarding this?
You might want to post that update as an answer, and accept it, as you are currently in the Unanswered queue.
The next question: what to do because its one of two users, like root and www-data . How do you give the «right» Apache group a permission to access something?
15 Answers 15
ps aux | egrep ‘(apache|httpd)’ typically will show what apache is running as.
Usually you do not need to change the default user, «nobody» or «apache» are typically fine users. As long as its not «root» 😉
edit: more accurate command for catching apache binaries too
I have 3 processes ( /usr/sbin/apache2 -k start ), one’s user is root and the other two www-data . Should I be concerned?
@zundi, the service starts as root in order to do things like bind to reserved ports (e.g. 80 and 443). Then it starts whatever the configured number of processes are, to do the web-server work, and any other tasks, as the defined users. That way requests are being handled by non-privileged processes. You will notice the the parent ID (PPID) is the same for all of the other processes. That idea with be the PID for that one process running as root.
You can try the following command:
ps -ef | egrep '(httpd|apache2|apache)' | grep -v `whoami` | grep -v root | head -n1 | awk ''
You’re litterally hidding lines from root user, which means that if apache is running as root, well, it doesnt show anything. Same for the current logged user.
Use apachectl -S , which will show something Apache user and group, something like this:
This is a good answer, because it is the one command that tells you a lot more about your running web server and presents it in a comprehensive way.
Oddly, on the Mac, although it shows as ‘_www’, you use ‘www’ without the underscore for various commands (notably chown). By the way, this varies according to version of MacOs/Apache/Apache package. It’s ‘_www’ on my macOs Big Sur with Apache 2.4.38 from MacPorts. It used to be ‘staff’ on older builds, and I think it’s different if you use Homebrew.
According to the ubuntuforums.org, on Ubuntu the default user for apache2 is www-data .
Seen to be true on Ubuntu 13.10 Saucy.
To be sure what [the user] is really set to, check the actual configuration files. The umbrella file, apache2.conf will have something like the following,
That is a reference to environment variables set in /etc/apache2/envvars . mod_suexec also allows scripts to be run as yet a different user and group.
To find any virtual hosts, which may use alternate users, groups, or both, check the configurations.
$ egrep "^User|^Group|^SuexecUserGroup" /etc/apache2/apache2.conf /etc/apache2/sites-available/*.conf
For Red Hat based distributions it would be (usually its user running httpd is apache ):
$ egrep "^User|^Group|^SuexecUserGroup" /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/*.conf
I know that this is an old post, but it is still listed as unanswered, so I will make a suggestion. If you can’t find which user or group Apache is running as, perhaps try opening the httpd.conf file. There should be an entry there for «User» and «Group». Not only can you see which user Apache is supposed to be running as, but you can change it if you feel the need to do so.
You can include a line of code in your PHP script:
Watch out here, this shows the user that PHP runs under, not the Apache user. If using mod_php these are the same but if, as is now very common, you’re using something else (like php_fpm) they can easily be different.
This code will — more or less — alphabetically list all the non-root users running processes containing apache (or whose name contains apache )
ps aux | grep -v root | grep apache | cut -d\ -f1 | sort | uniq
The list will probably include users who are running processes like ‘grep apache’, such as your fine self.
- To find out the user, you can simply use ps aux | grep apache while it is running.
- You don’t need to, but if Apache is running as root there are security issues.
- Thirdly, changing the user of Apache will change his rights to access some directories. You need to make sure that /var/www (or wherever you have your websites) is accessible to the new user and group. On the systems I have looked at, apache was always installed using apache:apache (or similar) as user and group, so it should probably already be set like that.
NOTE: This is the same answer I gave on Stackoverflow.
Or you can check the apache configuration file and look for the owner & group.
An alternative approach, at least for Debian/Ubuntu-based distros, is to use the same method Apache does to set its user and group: source /etc/apache2/envvars !
$ echo "$(source /etc/apache2/envvars && echo "$APACHE_RUN_GROUP")" www-data
If you want to get fancy, you can suppress errors if the file is not found, and provide a default value:
$ apacheuser=$( source /fail/etc/apache2/envvars 2>/dev/null && echo "$APACHE_RUN_GROUP" || echo nobody ) $ echo "$apacheuser" nobody
APACHE_USER=$(ps axho user,comm|grep -E "httpd|apache"|uniq|grep -v "root"|awk 'END ')
I found most of the solutions offered here are system- or configuration- specific (in particular, most of the solutions do not work at all on MacOS) and a few rely on the user knowing where Apache’s configuration files are in the first place.
So I cheat a bit and let Apache itself tell me what’s what.
The simple command apachectl -S will tell you what you need to know about a running instance of Apache, and its results can be parsed fairly easily. Here’s my solution, which I use at the top of a few bash scripts to determine a variety of things I might need at any given time.
# Store the results so we don't have to keep calling apachetl. astatus=`apachectl -S` # Now grab whatever you want from the result. HTTPD_ROOT_DIR=$(expr "`echo "$astatus" | grep ServerRoot`" : ".*\"\(.*\)\".*") HTTPD_DOC_DIR=$(expr "`echo "$astatus" | grep \"Main DocumentRoot\" `" : ".*\"\(.*\)\".*") HTTPD_USER=$(expr "`echo "$astatus" | grep \"User:.*name=\" `" : ".*\"\(.*\)\".*") HTTPD_GROUP=$(expr "`echo "$astatus" | grep \"Group:.*name=\" `" : ".*\"\(.*\)\".*")
These values can then be used as such:
echo $HTTPD_ROOT_DIR // /etc/httpd echo $HTTPD_DOC_DIR // /var/www echo $HTTPD_USER // www-data echo $HTTPD_GROUP // www-data
How do I determine the user Apache is run as?
How to check what is Apache user? I need to give read write permission to it, for some directories in my web root and outside of thee web root directory, how can i do that? Since I dont have proper idea of what Apache user is, I cannot answer my next question.
Why do you need to give read/write permission to it when you don’t know what it does in the first place? Can you add some more detail?
Currently for my software to work well, I need to give 777 permission to the whole directory. But to avoid that, i was suggested to give apache user the correct permissions so that i can avoid doing 777.
the server can be windows/linux. The scenario is, I want to first check whether the concerned directories are writable by apache user programtically using php, and in case if they are not writable, then ask to user to give write permissions to the apache user. so i want to know, what is apache user, how can i give write permissions to it, and how can i test it programatically. i just found that there is some method in php called «is_writable» which i will be using.
6 Answers 6
ps aux | egrep ‘(apache|httpd)’ typically will show what apache is running as.
Usually you do not need to change the default user, «nobody» or «apache»
At the very least you need to specify the OS you are using. Look in your httpd.conf for the «User» directive. It will tell you what user apache will run as.
BTW, I took a quick glance over the user directive in apache, but I did not get the concept properly, can you refer me some links? and Im not getting how to grant permission to that apache user, I mean what command will i write to do that
The apache2 user can be found out as follows. Go to /etc/apache2/apache2.conf and look for User
To find out the value for APACHE_RUN_USER and APACHE_RUN_GROUP, check in /etc/apache2/envvars
export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data
You may try to use the following command to check it:
ps axo user,group,comm | egrep '(apache|httpd)'
Or further more (to extract exact username) via:
ps axo user,group,comm | egrep '(apache|httpd)' | grep -v ^root | uniq | cut -d\ -f 1 ps axo user,group,comm | egrep '(apache|httpd)' | grep -v ^root | tail -1 | awk ''
For Apache group, use the following command:
ps axo user,group,comm | egrep '(apache|httpd)' | grep -v ^root | uniq | cut -d\ -f 2
Answer 1: what is an Apache user and where it is defined
In my default http.conf file located under /etc/apache2/httpd.conf (this file location varies by OS ) om my MAC, apache user is _www ( default user name as it comes with apache download )
since I see this in my httpd.conf
Answer 2: how do I give this user the read write permission to a folder «foo»
check who owns foo, by doing ls -l # Use chown command to make _www ( apache user ) own "foo" folder chown _www foo # user chmod +666 to make this "foo" folder read write accessible chmod 666 foo
Apache user is typically the user that the apache httpd server uses when running. It uses this «apache» user to avoid having to use a «human» user, and to avoid having to run as root.
Advantages of installing an «apache» user include not having to run as root, so during the handling of http requests, there is less risk in damaging and losing the entire operating system.
The only real disadvantage of having an «apache» user is that you need to make web presented content accessible to the «apache» user. That typically involves a combination of the unix commands chown , chmod , and sometimes various selinux commands.