SOLVED Symlink Protection patchset

[John Schmerold]

A recent cpanel blog post refers us to The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare

CloudLinux states: "On standard RPM Apache installation, Apache is usually running under GID 48. On cPanel servers, Apache is running under user nobody, GID 99"

How do we know if Apache is running on GID 99 or 48?

 

[Muhammed Fasal]

Hi,

You need to login to your server via SSH as root user and then execute below command to know UID and GID of Apache Process:

ps -o euid,egid --ppid `netstat --inet --inet6 -pln|awk '/:80 / { split($7,tmp, "/"); print tmp[1]; }'`|sort |uniq|grep -v EUID​

 

[24x7server]

Hi,

You can also check this via executing below command directly on your server.

# id apache
The output of this command would be like:
uid=48(apache) gid=48(apache) groups=48(apache)

 

[John Schmerold]

OK, in my case it appears to be running as user "nobody" is that optimal?
[[email protected] ~]# ps -o euid,egid --ppid `netstat --inet --inet6 -pln|awk '/:80 / { split($7,tmp, "/"); print tmp[1]; }'`|sort |uniq|grep -v EUID
99 99
EUID EGID
[[email protected] ~]# id nobody
uid=99(nobody) gid=99(nobody) groups=99(nobody)

id apache does not exist

 

[cPWilliamL]

Hi,

The internal Apache configuration will also denote this:

# grep -E ' (user|group):' /var/cpanel/conf/apache/main
  group:
      group: nobody
  user:
      user: nobody

This is normal. I also wouldn't recommend trying to change the Apache user, as there are certain safeguards in place to prevent abuse by the Apache user `nobody'.

Thanks,