Why is apache2 running as root on my Lubuntu?
I use a small netbook to run a web crawler, and it uses Lubuntu with minimal applications. I have definitely never installed apache on this machine. ps is showing it running as root user as well as my user ID. I uninstalled it and the process is gone. But why was it there to begin with? Does your web crawler run as a non-root user and not in sudoers? Does sudoers allow passwordless sudo? Could it be the crawler hit a malicious URL designed to trick crawlers into executing commands or code using a parsing bug? Or by chance does your crawler or some other package have a web UI that utilizes Apache as a dependency but you perhaps have always used the CLI? By default apache should not be running as root. There should be an suexec in the configuration file and the child processes should be running as a non-root service account. Are there any comments possibly left by a script in the config? Do you have package installation logs in /var/log somewhere? I dont use the Ubuntu variants so not sure which log this would be. Maybe /var/log/apt/? or /var/log/dpkg.log or maybe there are entries in /var/log/messages? Packages installed just prior to or just after apache2 may give some clues as to what pulled it in as a dependency. > By default apache should not be running as root. Everywhere I've run apache, it runs the control process as root, and the serving processes as (nobody|www|something); that way it can open new sockets when reloading the config, if required, before forking new serving processes. There's ways you can avoid a root control process, but that's going to be the default, as it's the easiest way to achieve the results people usually want. Hmmm it's just a Python/selenium bot... I think selenium runs on a given local-loopback:port, but I don't think it uses apache though? Your bot would not intentionally by design, but if it were tricked into parsing a malicious URL then the remote site could potentially trick your bot into executing code or commands but this is hypothetical and less likely than some application you installed pulling apache in as a dependency. I would first check all the logs. Also look in /var/log/audit/audit.log if you have auditd enabled. will poke around the logs a bit though... thanks! actually could it have in included when installing build-essential from apt repo? If this was done through apt then I would expect it to be in your logs unless they rotated out. Older logs may be .gz or .bz2 compressed. Oldest logs may be gone. Why it’s running as root: to bind to port 80 (any port < 1024) it needs root privileges. As toast0 said, you’ll see multiple processes with different users. Why it was there I don’t know :)