Running Apache not as root for HTTPS

Question

I ma trying to make a Docker container image with an Apache server that handles TLS mutual authentication. Since this is a container Apache can be made to listen some high-numbered port instead of 443, so this should remove the need for root execution.

However, as soon as I try to enable TLS, I get this:

[Thu Oct 11 09:50:50.357758 2018] [auth_digest:notice] [pid 22] AH01757: generating secret for digest authentication ...
[Thu Oct 11 09:50:50.357818 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01762: Failed to create shared memory segment on file /run/httpd/authdigest_shm.22
[Thu Oct 11 09:50:50.357825 2018] [auth_digest:error] [pid 22] (13)Permission denied: AH01760: failed to initialize shm - all nonce-count checking, one-time nonces, and MD5-sess algorithm disabled

Are root privileges required to create the shared memory or can the access rights be amended to allow non-root usage?

Answer 1

I got another solution for this. In your configuration you can define a directory that you can write, other than /run/httpd/. Like this:

DefaultRuntimeDir runtime/

This could be a directory relative to your ServerRoot

You can find the document about httpd core and mod_slotmem_shm

Answer 2

Applications in containers usually run as root. But that doesn't mean that they have full root privileges.

From the docker security documentation:

[...] containers can run with a reduced capability set; meaning that “root” within a container has much less privileges than the real “root”.

Just let it run as root inside the container.

Answer 3

Eventually figured it out. Listing the access flags on /run/httpd shows:

drwx--x--- 3 root apache 4096 Sep 24 15:57 /run/httpd/

So only root can write there. So in the Dockerfile I added:

RUN chmod 770 /run/httpd

And it worked. Not sure it the best solution, though, and I welcome any comments that point out problems with that solution.