I appreciate any help!
Try:
# /usr/local/apache/bin/httpd -c /usr/local/apache/conf/httpd.conf
and let us know the errors.
Anyway, the basic fix will be /scripts/easyapache or WHM -> Apache update.
From the console it gives this error:
From the rebuild in WHM, it says:
Attempting to restart httpd
look in /etc/httpd/conf/httpd.conf
and search for these
I think yours are
search in httpd.conf a directive named:
You might want to check on gid/uid of root. Using your favorite editor,
pico /etc/passwd
and make sure that this directive is there:
root:x:0:0:root
In /etc/group, it should be
root:x:0:root
No other entry in both files should have gid/uid of root (0).
In this post I will explain how to setup document root for apache server.
Initially the document root is set to /var/www/html by default. We need to change it when we have web applications in /var/www/html/folder.
Changing apache2 document root
The default document root is set in the 000-default.conf file that is under /etc/apache2/sites-available folder.
$ cd /etc/apache2/sites-available
$ sudo nano 000-default.conf
While the file is opened change DocumentRoot /var/www/ with your new folder e.g DocumentRoot /var/www/html/engelsystem/public where your index.php file resides
Set the right Apache configuration
The configuration of the /var/www folder is under /etc/apache2/apache2.conf. Edit this file to add the configuration of your new document root.
$ sudo nano/etc/apache2/apache2.conf
Require all granted
and change the directory path:
Require all granted
$ sudoservice apache2 restart
Apache is not required and thus not configured to have any other access for security reasons, as even an exploit to a poorly written PHP or Perl script will not escalate and cause much harm to the system.
Open Apache‘s configuration file using your preferred text editor.
$ sudo vi /etc/apache2/apache2.conf Password:
root root
$ sudo chown --recursive username:groupname /home/user/website/
Restart Apache service for changes to take effect.
$ sudo systemctl restart apache2 #Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
Check if the changes was successful.
$ ps aux | grep apache2 root 1188 0.0 0.1 162184 6664 ? Ss Mar29 0:02 /usr/sbin/apache2 -k start root 1197 0.0 0.1 162184 5668 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1198 0.0 0.1 162184 5916 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1200 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1201 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start root 1202 0.0 0.1 162184 5684 ? S Mar29 0:00 /usr/sbin/apache2 -k start
Discuss the article:
Comment anonymously. Login not required.
< ?php echo `whoami`; ?>
124 gold badges465 silver badges653 bronze badges
asked Mar 26, 2012 at 13:58
Create a shell script that does what you want. This is not a PHP script as PHP is run within the web server, you need a script that is run by Ubuntu. Here is a sample:
#!/bin/sh # script that runs as root whoamiI called this file
/localstore/root.shand you should place it somewhere that makes sense on your systems (e. g./home/www_data/bin).ALL ALL=NOPASSWD: /localstore/root.shThat will allow anyone to run the script as root, once you test and confirm it work, I strongly recommend (again for security purposes) that you change the line to
nobody ALL=NOPASSWD: /localstore/root.sh< ?php exec ("sudo /localstore/root.sh"); ?>You can add parameters to the script inside the quotes.
That should get it so the
root.shscript executes as root when invoked from your web server. If you have other scripts, they can be a comma separated list on that same entry in thesudoersfile. Make sure the permissions on the script allow execution by the web server.
answered Apr 19, 2012 at 14:42
In my situation I was also confounded by the requirement to include an option in my virtual host configuration — specifically adding the
Require all grantedwithin my directory configuration as described in this article
answered Apr 2, 2018 at 18:31
The Short Answer:
Details on this are below, and many web servers in the repositories have similar types of setups (NGINX operates on the same basic principles as well).
The Apache Master Process — This Accesses Configuration Files and Binds Workers to Ports <= 1024:
Apache’s master process needs to run as root.
The Master process doesn’t do much more than this, really, and doesn’t handle actual requests from clients, nor does it actually interact with web docroots, etc.
The Apache Worker Processes — They Handle Requests from and Responses To Web Browsers:
Apache’s workers actually handle requests coming in to the web server, and handle accessing data on the system and sending the response to clients. This is, I believe, where your IT policy really is talking about running as non-root.
Why I think there is miscommunication between policy and you, or why I think your IT policies need revisited and you should be talking to the IT people in your environment:
If your company / workplace is stating «We cannot let Apache run as root at all», then check with the company’s IT staff.
The reason that this is a ‘bad’ or ‘misinterpreted’ policy is because you cannot use http://somewebaddress.tld or https://somewebaddress.tld on your domain if Apache cannot bind to port 80 or 443 respectively. If they do not want the master process to run as root, then you will have to manually change the ownership of /etc/apache2/* or provide a separate data directory for configurations, and then have all Apache-served sites listen on ports higher than 1024.
When I run the ps -efH command to list out all the process, I can see Apache running as root and seems to have sub-processes running as www-data. Here’s the excerpt:
root 30117 1 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30119 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30120 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 30121 30117 0 09:10 ? 00:00:00 /usr/sbin/apache2 -k start
asked Jul 29, 2011 at 15:37
Apache has to run as root initially in order to bind to port 80. If you don’t run it as root initially then you cannot bind to port 80. If you want to bind to some port above 1024 then yes, you can. Otherwise don’t worry about root. That is the parent Apache process and does not serve any requests. It will spawn child processes and drop privileges for handling requests.
answered Jul 29, 2011 at 16:01
The location of the master configuration file depends on compile-time options and varies per distribution, but /etc/apache2/apache2.conf is a good starting guess.
answered Jul 31, 2011 at 14:59
2 gold badges14 silver badges18 bronze badges
In Ubuntu at least, the settings for this are in /etc/apache2/envvars. Tweak those, then restart apache and you’re off and running.
answered Sep 30, 2014 at 19:49
2 gold badges15 silver badges19 bronze badges
Also, check out Apache2 ITK MPM.
It forks an Apache thread with the assigned uid/gid, this let’s you keep using mod_php. No more chmod/chown etc.
13 gold badges31 silver badges36 bronze badges
answered Aug 23, 2013 at 8:21
What worked for me is going into apache config file:
/etc/apache2/httpd.confand bumped into:
User _www
Group _wwwanswered Oct 19, 2016 at 19:40
Allowing web-user on apache server to run scripts as root
So let’s say that you need a server which hosts a simple web page and does a particular task based on data entered into that web-page.
The normal way of doing this is to navigate to /var/www/html and place the web page you want to host here.
You also need to put your php script in this folder so that it is accessible from the website.
This php script will take in the data from your web-page and run the necessary commands that you need to be executed on the server.( I am assuming you are not using “The Real Dev Language” for now. :p )
I will be using a simple web page and script that I have made for this post.
<html>
<head> <title>Apk Generator</title> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link data-hren="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous"> <link data-hren='https://fonts.googleapis.com/css?family=Roboto:400,100' rel='stylesheet' type='text/css'> <link data-hren="css/main.css" rel="stylesheet">
</head>
<body>
<div class="container"><br><br>
<form name="htmlform" id="form" enctype="multipart/form-data" class="col-md-offset-4 col-xs-offset-2 col-xs-8 col-md-4 form-group generator_form" > <label for="name">Email</label> <input type="email" class="form-control" id="Email" name="Email"> <br> <input type="hidden" id="theme" name="theme" value="light"> <label for="name">App's Name</label> <input type="text" class="form-control" id="App_Name" name="App_Name"> <br> <label> Choose your data source </label> <ul style="list-style-type:none"> <li><input type="radio" name="datasource" value="jsonupload"> Upload your own JSON files </input></li> <li><input type="radio" name="datasource" value="eventapi"> API endpoint of event on OpenEvent </input></li> </ul> <br> <section id="eventapi-input" style="display:none;"> <label for="apiendpoint">Link to Open Event API endpoint</label> <input type="url" class="form-control" id="Api_Link" name="Api_Link"> </section> <br> <section id="jsonupload-input" style="display:none;"> <input type="file" name="uploadZip" id="uploadZip" class="form-control"/> <br> </section> <br> <input type="hidden" name="assetmode" value="download"> <center> <br> <div id="status"></div> <br>
<tr> <td colspan="5" style="text-align:center"> <button type="submit">Generate and Download app</button>
</td>
</tr>
</table>
</form>
<script src="https://www.gstatic.com/firebasejs/live/3.0/firebase.js"></script>
<script src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
<script src="https://code.jquery.com/ui/1.12.0/jquery-ui.js"></script>
<script> $('input:radio[name="datasource"]').change( function() { if ($(this).is(':checked')) { if ($(this).val() === 'mockjson') { $('#jsonupload-input').hide(100); $('#eventapi-input').hide(100); } if ($(this).val() === 'jsonupload') { $('#jsonupload-input').show(100); $('#eventapi-input').hide(100); } if ($(this).val() === 'eventapi') { $('#eventapi-input').show(100); $('#jsonupload-input').hide(100); } } }); var $ = jQuery; var timestamp = Number(new Date()); var form = document.querySelector("form"); form.addEventListener("submit", function(event) { event.preventDefault(); var ary = $(form).serializeArray(); var obj = {}; for (var a = 0; a < ary.length; a++) obj[ary[a].name] = ary[a].value; console.log("JSON",obj); if(obj.Email == "" || obj.App_Name ==""){ alert("It seems like you forgot to fill up your email address or the app's name"); setTimeout("location.reload(true);", 1); } else{ alert("Please wait while we generate the app, meanwhile you can stick around to directly download it.The app will also be emailed to you."); $.ajax({ type: "POST", url: "/test.php", data: { timestamp : timestamp }, success: function(response){ console.log("Success",response); window.location = response; } }); } }); </script> </div>
</body>
</html>This is basically a web page with some inputText widgets which accept response and send it to a php file named test.php on the server via an AJAX post.
<?php
if(isset($_POST['timestamp']))
{ $uid = escapeshellcmd($_POST['timestamp']); exec("sudo sh /var/www/email.sh $uid");
}
?>Well, here is where the problem arises, as I am trying to run the bash file as root.
You might wonder as to why is this such a big issue?
Why can’t we do that?
Well, we can surely do that on the server but the point to be noted here is that we are not running this script directly from the server.
We are running it from a web page which is hosted on a server.
Solution 1 :
sudo visudo
www-data = (root) NOPASSWD: /path/to/script.sh
In case you have to execute one script as root which in turn executes some more scripts as root, you don’t need to set the path to all of them over here.
Doing it only for the parent script will do the job.
Solution 2 :
You can go through the article here :https://www.digitalocean.com/community/tutorials/how-to-use-suexec-in-apache-to-run-cgi-scripts-on-an-ubuntu-vps
I’ll be adding more solutions as I find them along the way.
Meanwhile feel free to comment below your thoughts, suggestions and queries.
I noticed today that when making requests from our web server, things were rather slow.
I started looking into it and I’ve found a load of root owned apache processes.
I don’t know for sure that this is actually what’s causing things to be slow, but none the less, it doesn’t look good.
problem is, I don’t know what to do from here?
How do I find out why there are so many root processes?
Could some recommend a set of tests? I’ve tried stracing a few of them, and they appear to be doing something, but the output of strace is beyond me.
root 30918 1.8 1.3 84284 52296 ? Ss 14:11 0:01 /usr/sbin/apache2 -k restart
root 30919 0.0 1.1 84420 45612 ? S 14:11 0:00 /usr/sbin/apache2 -k restart
root 30920 0.0 1.1 84420 45604 ? S 14:11 0:00 /usr/sbin/apache2 -k restart
root 30921 0.0 1.1 84420 45612 ? S 14:11 0:00 /usr/sbin/apache2 -k restart
root 30922 0.1 1.1 84420 45612 ? S 14:11 0:00 /usr/sbin/apache2 -k restart
root 30923 0.0 1.1 84420 45612 ? S 14:11 0:00 /usr/sbin/apache2 -k restart
www-data 30926 6.6 1.5 104964 61336 ? S 14:12 0:03 /usr/sbin/apache2 -k restart
root 30930 0.1 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30933 0.0 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30935 0.0 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30936 0.0 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30937 0.0 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30938 0.0 1.1 84420 45616 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30961 0.0 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30989 0.0 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 30990 0.0 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 31011 0.1 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 31013 0.1 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 31014 0.0 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31175 2.5 1.5 104168 60524 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31189 2.3 1.4 102360 58920 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31190 1.5 1.4 101904 58356 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31191 0.3 1.1 84556 46760 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31192 1.4 1.4 101916 58384 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
www-data 31193 1.5 1.4 101916 58376 ? S 14:12 0:00 /usr/sbin/apache2 -k restart
root 31240 0.1 1.1 84420 45612 ? S 14:12 0:00 /usr/sbin/apache2 -k restartthis is an example of the output from strace from one of the processes.
--- SIGCHLD (Child exited) @ 0 (0) ---
read(6, 0xff87f6ef, 1) = -1 EAGAIN (Resource temporarily unavailable)
getuid32() = 0
close(17) = 0
gettimeofday({1354109303, 670988}, NULL) = 0
semop(5668864, {{0, -1, SEM_UNDO}}, 1) = 0
accept(4, {sa_family=AF_INET, sin_port=htons(48107), sin_addr=inet_addr("192.168.16.12")}, [16]) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
semop(5668864, {{0, 1, SEM_UNDO}}, 1) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xf74a2768) = 1949
waitpid(1949, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 1949
--- SIGCHLD (Child exited) @ 0 (0) ---
read(6, 0xff87f6ef, 1) = -1 EAGAIN (Resource temporarily unavailable)
getuid32() = 0
close(17) = 0
gettimeofday({1354109305, 724358}, NULL) = 0
semop(5668864, {{0, -1, SEM_UNDO}}, 1) = 0
accept(4, {sa_family=AF_INET, sin_port=htons(48132), sin_addr=inet_addr("192.168.16.12")}, [16]) = 17
fcntl64(17, F_GETFD) = 0
fcntl64(17, F_SETFD, FD_CLOEXEC) = 0
semop(5668864, {{0, 1, SEM_UNDO}}, 1) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xf74a2768) = 1974
waitpid(1974, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 1974
--- SIGCHLD (Child exited) @ 0 (0) ---
