1

I run an Apache prefork MPM on Ubuntu 10.04 server. It listens on port 8080. One process runs as root, and the child processes run as www-data. This is as advertised.

However, the root process does answer requests, too! Therefore, some requests are answered as root, and most as www-data. This is unfortunate of course.

What's the reason for this? httpd.conf says

MinSpareServers 2
MaxSpareServers 5
StartServers 1
MaxClients 50
Torsten Bronger
  • 226
  • 1
  • 2
  • 10

1 Answers1

1

I believe what you're seeing is perfectly safe: the parent process has internally dropped root perms down to www-data for the bits that do the request processing. The process itself is of course still owned by root, since root started it and it still needs to run some things as root if they get invoked (like signal handlers to handle reloading the config file(s) and reconfiguring the server).

pjz
  • 10,497
  • 1
  • 31
  • 40
  • One Python module that we use reads a file from $HOME, and the value of $HOME depends on whether it's the root or www-data process. Therefore, approx. 20% of all requests fail. Of course, we could override this, but I still feel uncomfortable with it. What's the owner of uploaded files which the Apache saves to the file system? Also root in 20% of the cases? I haven't tested that so far. – Torsten Bronger Jul 02 '10 at 10:58
  • That behavior sounds like a bug to me; can you get a good repro of it over to the apache server guys? What do they say? – pjz Jul 07 '10 at 17:43
  • I've done further testing. The permissions are indeed always that of www-data. It's just the environment that's varying. And because Python's whoami function relies on it, it returns sometimes "www-data" and sometimes "root". I still don't know what changes the environment. Heartbeat/Pacemaker seems to be involved. Anyway, I have a workaround, and there is no security hole, so it's okay. – Torsten Bronger Jul 10 '10 at 22:26