Why is apache2 running as root on my Lubuntu?

5 pointsgolgo_132y ago8 comments

I use a small netbook to run a web crawler, and it uses Lubuntu with minimal applications. I have definitely never installed apache on this machine. ps is showing it running as root user as well as my user ID. I uninstalled it and the process is gone. But why was it there to begin with?

8 comments

LinuxBender2y ago

Does your web crawler run as a non-root user and not in sudoers? Does sudoers allow passwordless sudo? Could it be the crawler hit a malicious URL designed to trick crawlers into executing commands or code using a parsing bug?

Or by chance does your crawler or some other package have a web UI that utilizes Apache as a dependency but you perhaps have always used the CLI? By default apache should not be running as root. There should be an suexec in the configuration file and the child processes should be running as a non-root service account. Are there any comments possibly left by a script in the config?

Do you have package installation logs in /var/log somewhere? I dont use the Ubuntu variants so not sure which log this would be. Maybe /var/log/apt/? or /var/log/dpkg.log or maybe there are entries in /var/log/messages? Packages installed just prior to or just after apache2 may give some clues as to what pulled it in as a dependency.

toast02y ago

> By default apache should not be running as root.

Everywhere I've run apache, it runs the control process as root, and the serving processes as (nobody|www|something); that way it can open new sockets when reloading the config, if required, before forking new serving processes. There's ways you can avoid a root control process, but that's going to be the default, as it's the easiest way to achieve the results people usually want.

golgo_13OP2y ago

Hmmm it's just a Python/selenium bot... I think selenium runs on a given local-loopback:port, but I don't think it uses apache though?

LinuxBender2y ago

Your bot would not intentionally by design, but if it were tricked into parsing a malicious URL then the remote site could potentially trick your bot into executing code or commands but this is hypothetical and less likely than some application you installed pulling apache in as a dependency.

I would first check all the logs. Also look in /var/log/audit/audit.log if you have auditd enabled.

golgo_13OP2y ago

will poke around the logs a bit though... thanks!

golgo_13OP2y ago

actually could it have in included when installing build-essential from apt repo?

LinuxBender2y ago

If this was done through apt then I would expect it to be in your logs unless they rotated out. Older logs may be .gz or .bz2 compressed. Oldest logs may be gone.

ecesena2y ago

Why it’s running as root: to bind to port 80 (any port < 1024) it needs root privileges.

As toast0 said, you’ll see multiple processes with different users.

Why it was there I don’t know :)

j / k navigate · click thread line to collapse

8 comments

LinuxBender2y ago

toast02y ago

> By default apache should not be running as root.

golgo_13OP2y ago

Hmmm it's just a Python/selenium bot... I think selenium runs on a given local-loopback:port, but I don't think it uses apache though?

LinuxBender2y ago

I would first check all the logs. Also look in /var/log/audit/audit.log if you have auditd enabled.

golgo_13OP2y ago

will poke around the logs a bit though... thanks!

golgo_13OP2y ago

actually could it have in included when installing build-essential from apt repo?

LinuxBender2y ago

If this was done through apt then I would expect it to be in your logs unless they rotated out. Older logs may be .gz or .bz2 compressed. Oldest logs may be gone.

ecesena2y ago

Why it’s running as root: to bind to port 80 (any port < 1024) it needs root privileges.

As toast0 said, you’ll see multiple processes with different users.

Why it was there I don’t know :)

j / k navigate · click thread line to collapse