Running apache with admin permissions dangerous

apache-2.2dropboxpermissions

I am trying to get my apache server (OS X Lion, not server edition) to run, using a folder inside Dropbox as DocumentRoot. This works fine, as long as I run apache as admin, meaning: with admin permissions. I am sometimes logging into hotspots, so before I do that again I'd like to know if I'm endangering myself; the only things running on the server are files I created.
And 2nd: How can I get apache running with dropbox with no admin account? I tried to chmod 755 the Documents folder inside Dropbox, but it had no effect on apache – though I could see that it had changed permissions when I looked in the Finder.

To clarify:

My Document Root = …/myuser/Dropbox/…/htdocs

Works with apaches httpd.conf having these ernties:

User [some admin]

Group admin

What permissions to I have to apply to htdocs to get apache running as _www:_www?

Best Answer

Apache is designed to be run as regular user. In production environments it's normal to chroot software that can't do this.

If you do this only for your own machine, for private use, you're good. In production it's definitely not a good idea.

As for permissions:

try

sudo chown -R _www:_www /path/to/dir
sudo chmod -R 755 /path/to/dir

(or, if the OSX chmod supports non-octal modes, use this: sudo chmod -R u+rwX,g+rX,o+rX /path/to/dir)

Your user will be able to only read the files, he won't be able to delete them though.

Add yourself to _www group (under linux it's gpasswd -a user-name _www, don't know if it'll work with OSX) and change permissions:

sudo chmod -R 775 /path/to/dir

But you may need to adjust the umask for apache to 002 to keep those files this way.

Related Solutions

How to tell which config file Apache is using

With any *nix application, the easiest method is to query the binary itself. In the case of httpd, I'd imagine the process would be something like this:

$ whereis httpd
/usr/sbin/httpd
$ /usr/sbin/httpd -V
Server version: Apache/2.2.11 (Unix)
Server built:   Jun 17 2009 14:55:13
Server's Module Magic Number: 20051115:21
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_FLOCK_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/bin/suexec"
 -D DEFAULT_PIDLOG="/private/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/private/var/run/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/private/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"

As you can see - my OS X says the binary, if not directed otherwise, will use the config file: /private/etc/apache2/httpd.conf

If that doesn't help, perhaps Christopher's suggestion of find is the next step.

Windows network: Set apache DocumentRoot in network directory

First recommendation: get rid of the drive letter, and just use the UNC path in Apache's config - it should work just fine.

If for some reason you need to keep mapping the drive, then the better option would be to change the user that Apache's running as, and create a drive mapping under the new account for the Apache service.

But, if you do want to keep it running as local system, there's an ugly hack that can do the trick; grab psexec, run psexec -i -s cmd.exe, then map the drive with net use z: \\path\to\share /persistent:yes.

Best Answer

Related Solutions

How to tell which config file Apache is using

Windows network: Set apache DocumentRoot in network directory

Related Topic