# Apache configuration file



## cooltomato (Jun 2, 2012)

Hi all,

I'm quite new to Unix and wondering this when it comes to Apache server. Hope someone can explain this to me.

Why is user/group in Apache configuration file www/www?

Cheers,


----------



## DutchDaemon (Jun 2, 2012)

It is common practice in UNIX and FreeBSD to drop the privileges of an Internet server to the lowest possible user/group on the system. In the case of Apache, it's usually nobody or www. The simple reasoning behind this is that when an Internet server is compromised and an attacker enters the host system as the user or group that that server (i.e. Apache) runs as, it has almost no privileges on the host system. So the attacker ends up in a very limited environment, without a shell, without privileges, let alone elevated privileges (like *su* rights). This means that there is no further danger posed by that particular attacker. You'll find that most Internet servers, ranging from Sendmail to Postfix to Dovecot to BIND to $(etc. etc.) all run under unprivileged user/group accounts as soon as they're started. They're started by the root user (to be able to grab a port below 1000), and drop to unprivileged user/group accounts immediately thereafter.


----------

