mod_unixd.xml revision b682e60dd82772dba52ba77138e494f15c00a551
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
932d8cdf9e85a610ad4391af5f0195ff9ed7d286rpluem<!-- $LastChangedRevision$ -->
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq Licensed to the Apache Software Foundation (ASF) under one or more
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq contributor license agreements. See the NOTICE file distributed with
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq this work for additional information regarding copyright ownership.
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq The ASF licenses this file to You under the Apache License, Version 2.0
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq (the "License"); you may not use this file except in compliance with
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq the License. You may obtain a copy of the License at
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq Unless required by applicable law or agreed to in writing, software
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq distributed under the License is distributed on an "AS IS" BASIS,
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq See the License for the specific language governing permissions and
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq limitations under the License.
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<description>Basic (required) security for Unix-family platforms.</description>
b682e60dd82772dba52ba77138e494f15c00a551trawick<seealso><a href="/suexec.html">suEXEC support</a></seealso>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<description>Group under which the server will answer
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniqrequests</description>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<contextlist><context>server config</context></contextlist>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<compatibility>Only valid in global server config since Apache
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq2.0</compatibility>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>The <directive>Group</directive> directive sets the group under
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq which the server will answer requests. In order to use this
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq directive, the server must be run initially as <code>root</code>. If
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq you start the server as a non-root user, it will fail to change to the
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq specified group, and will instead continue to run as the group of the
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq Group www-group
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq </example>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>It is recommended that you set up a new group specifically for
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq running the server. Some admins use user <code>nobody</code>,
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq but this is not always possible or desirable.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>Don't set <directive>Group</directive> (or <directive
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq module="mod_unixd">User</directive>) to <code>root</code> unless
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq you know exactly what you are doing, and what the dangers are.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<seealso><directive module="mod_privileges">VHostGroup</directive></seealso>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq</directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<description>The userid under which the server will answer
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniqrequests</description>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<contextlist><context>server config</context></contextlist>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<compatibility>Only valid in global server config since Apache
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq2.0</compatibility>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>The <directive>User</directive> directive sets the user ID as
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq which the server will answer requests. In order to use this
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq directive, the server must be run initially as <code>root</code>.
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq If you start the server as a non-root user, it will fail to change
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq to the lesser privileged user, and will instead continue to run as
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq that original user. If you do start the server as <code>root</code>,
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq then it is normal for the parent process to remain running as root.
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>The user should have no privileges that result in it being
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq able to access files that are not intended to be visible to the
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq outside world, and similarly, the user should not be able to
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq execute code that is not meant for HTTP requests. It is
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq recommended that you set up a new user and group specifically for
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq running the server. Some admins use user <code>nobody</code>, but
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq this is not always desirable, since the <code>nobody</code> user
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq can have other uses on the system.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq module="mod_unixd">Group</directive>) to <code>root</code> unless
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq you know exactly what you are doing, and what the dangers are.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<seealso><directive module="mod_privileges">VHostUser</directive></seealso>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<seealso><directive module="mod_suexec">SuexecUserGroup</directive></seealso>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq</directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<description>Directory for apache to run chroot(8) after startup.</description>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq<contextlist><context>server config</context></contextlist>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>This directive, available in httpd 2.2.9(?) and later, tells the
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq server to <var>chroot(8)</var> to the specified directory after
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq startup, but before accepting requests over the 'net.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq <p>Note that running the server under chroot is not simple,
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq and requires additional setup, particularly if you are running
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq scripts such as CGI or PHP. Please make sure you are properly
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq familiar with the operation of chroot before attempting to use
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq this feature.</p>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq</directivesynopsis>
b682e60dd82772dba52ba77138e494f15c00a551trawick<directivesynopsis>
b682e60dd82772dba52ba77138e494f15c00a551trawick<description>Enable or disable the suEXEC feature</description>
b682e60dd82772dba52ba77138e494f15c00a551trawick<default>On if suexec binary exists with proper owner and mode,
b682e60dd82772dba52ba77138e494f15c00a551trawickOff otherwise</default>
b682e60dd82772dba52ba77138e494f15c00a551trawick<contextlist><context>server config</context></contextlist>
b682e60dd82772dba52ba77138e494f15c00a551trawick<compatibility>Available in Apache httpd 2.3.9 and later</compatibility>
b682e60dd82772dba52ba77138e494f15c00a551trawick <p>When On, startup will fail if the suexec binary doesn't exist
b682e60dd82772dba52ba77138e494f15c00a551trawick or has an invalid owner or file mode.</p>
b682e60dd82772dba52ba77138e494f15c00a551trawick <p>When Off, suEXEC will be disabled even if the suexec binary exists
b682e60dd82772dba52ba77138e494f15c00a551trawick and has a valid owner and file mode.</p>
b682e60dd82772dba52ba77138e494f15c00a551trawick</directivesynopsis>
4c894c7d7c34890a8984b6cc1bcf6c19f15c4c0aniq</modulesynopsis>