Apache :: Why does Apache need act as part of the operating systm

Cheeeze · Joined: 04 Jun 2015 Posts: 7 Location: USA, New York

I have looked everywhere for the answer to this, but I can't seem to find it. Apache on Windows requires "act as part of the operating system" permissions. Why?

I ask because "act as part of the operating system" is an extremely high risk permission that can theoretically allow a hacker who compromised the server to access every file on the hard drive. It's the Windows equivalent of root permission. Apache on Linux restricts the worker processes to a limited user, and IIS on Windows also does the same.

So what is it exactly that Apache on Windows needs this permission for?

I seem to be able to run it fine without the permission, but the manual makes it clear to add it. What will break if I don't? (Maybe it's needed for something I don't use.) And why does nobody else on the internet seem to be concerned about this? Am I missing something?

Any help here would be appreciated.

-Using Apache 2.4 on Windows Server 2008
-Apache instructing to add the permission
-MS warning never to give that permission to a user

glsmith

No, some people are concerned. I do not run Apache service as "system", haven't for over a decade. It has it's own dedicated limited user and group. It and all sites are on a separate physical drive also which helps.

See the part below "Never grant any network privileges to the LocalSystem account! If you need Apache to be able to access network resources, create a separate account for Apache as noted below." in that documents page you linked to. This clear up your questions.

Cheeeze · Joined: 04 Jun 2015 Posts: 7 Location: USA, New York

Thanks for the reply glsmith. I also plan to run apache as a separate user, but the apache documentation says to grant "act as part of the operating system" privileges to the new apache user too. Doing so gives it the same privileges that the LocalSystem account has.

I intend to have a user account that ONLY has permission to see the apache folder and nothing else on the computer, but the "act as part of the operating system" permission could theoretically make those read/write permissions irrelevant bc the apache user would be able to impersonate any other user.

...or maybe I'm just misunderstanding how "act as part of the operating system" actually works. Its a sort of obscure permission, so if the apache windows devs needed it, I assume they had a good reason.

Did you grant that permission to your apache user? And if you didn't, has anything stopped working?

OldManRiver · Joined: 21 Jun 2006 Posts: 21

Cheeeze,

You stated you are windows. What installer did you use to install Apache?

You should have used WAMP Server, which is the only one of over 10 Apache installers that actually works seemlessly and with full Linux admin configuration capability and ability to install across all disks, etc on the Windows platform.

All the others only install on specific preset drive/directory and usually prohibit full alias capability to any directory you are using for development.

I haven't used Windows since 2007, but remember all this as developer.

Try WAMP Server and see if all things work right. WAMP has a menu in the "right click" on the icon, so once working you can easily config all Apache settings and Aliases right from there.

Cheers!

OMR

glsmith

OldManRiver,

This has nothing to do with drive/directory/alias'/configuring Apache or installing Apache onto a computer. This has everything to do with Windows Services and how Apache (ALL Apache's for Windows) installs itself as a Windows Service.

Cheeeze · Joined: 04 Jun 2015 Posts: 7 Location: USA, New York

Folks, I appreciate the comments, please keep them coming - maybe we can figure this out.

My original question still stands unanswered: why does apache on windows require "act as part of the operating system"?

Are the devs who port apache to windows on here? How do I ask them? Act as part of the OS is not a Linux permission, so it was either added to apache on Windows, or is used on Windows to replicate what the root apache process did on Linux without changing the code. Except that I don't think there's anything the root apache process does on Linux that requires act as part of the OS permission for Windows - binding to port 80 and reading/writing to folders can all be done with a regular user account.

If nobody knows why its needed, it sounds suspiciously like the NSA sneaking a weakening recommendation into the Apache documentation... I doubt that's it, but someone must know what it's needed for.

glsmith

When documentation talks of NT 4.0 & 2000, it's best to be skeptical.

I'm running Apache, as a service, the service runs on a limited user account, on Win7, and in my Local Policies, "Act as part of the operating system" is empty.

I doubt it's a conspiracy, more likely it's just been carried along since 1.3.14 (released 10/2000), you can find it here http://httpd.apache.org/docs/1.3/win_service.html and can find it in the docs of the 1.3.14 source tarball at the Apache archives.

Then again, it may just be needed in a windows domain/AD type of situation. I do not use them, they're overkill for me so I cannot test it.

James Blond

it is a bad idea to run apache with a AD account. Sometimes that prevents apache from starting if the AD is not reachable (yet) when apache starts.

Steffen

Cheeeze · Joined: 04 Jun 2015 Posts: 7 Location: USA, New York

Hmm... it's been a while but I still haven't been able to find any information on this.

Does anyone have any ideas of where I can find out? How do I contact apache devs (in an appropriate forum)?

Thanks

chipper

Interesting topic...I created a service account and set it per the following: Act as part of the operating system, Deny log on locally, and Log on as a service.

The service account has Read\Execute to most Apache directories on a separate partition. Read\Write to \logs and modify to some other directories as needed under htdocs. PHP also needs modify for session data.

So you're saying this type of setup isn't very secure? I guess I need to review more on "Act as part of OS".

Cheeeze · Joined: 04 Jun 2015 Posts: 7 Location: USA, New York

So according to the Microsoft link I shared in my first post, they strongly recommend never applying that permission to any user - not even an administrator. It has the capability to impersonate any user on your system and therefore access every file on your system, regardless of permissions set. It's like root.

Perhaps I don't fully understand the mechanics of how the permission works. Maybe it would be too difficult (or not possible) for an outside threat to manipulate the apache user into impersonating another user. I don't know if the apache user gets instant access to all files, or if they need to do something with fancy code or APIs to get said access. It could be that none of this is a threat at all.

On the flip side, I also can't see ANY REASON why apache needs this permission, any written explanation of why it needs it, or even anyone who asked why it needs it. And yet it is explicitly recommended in the documentation.

On Linux, apache only needs root access to bind to port 80 (a privileged port). The actual apache processes do not run as root. They run as limited users. There is no such restriction on Windows, but the apache processes are recommended to run with the equivalent of root access.

As far as I can tell, the only reason it would be recommended is if someone snuck in a backdoor or weak spot into the documentations recommendation, and nobody knows why it was there so nobody wants to remove it. (*ahem* - NSA - *ahem*)

I'm sure I'm wrong about that, but one would think someone somewhere would know why it needs it. I turn to the Windows Apache devs for this - this is not an issue on Linux. I don't even think the Linux systems have such a permission to set. This is something recommended exclusively for Apache on Windows, which means the devs who write/compile it for Windows should surely know why they added said requirement...