Apache httpd.conf User/Group Setting

Question

I have an httpd.conf file that contains the following:

<IfModule unixd_module>
<If "env('OS') == 'Darwin'">
    User daemon
    Group admin
</If>
<Else>
    User www
    Group scm
</Else>
</IfModule>

What I'm trying to do is set the user id for the httpd instance in my development environment on OSX to one user, but a different user when it is deployed to Ubuntu. I'm receiving a syntax error message:

AH00526: Syntax error on line 32 of /usr/local/apps/apache2/conf/httpd.conf:
User not allowed here

I looked at the If directive and it is allowed here. If I comment out the User/Group I do not get the syntax error. Without the IF/Else, and only using one user, this works. If I try to use the condition with the user/group I receive an error. Is this possible in the httpd.conf? If so, then how? Is there a different way to accomplish the same thing? The "OS" environment variable is set in each environment with "export OS=uname". This is in Apache httpd 2.4.4.

Answer 1

I finally found a moment to check it more deeply, and it is because Override behaviour. I have briefly checked with 2.4.4 source, and it seems to me, that basically only directives which are on "Override" list in current Directory or Location contexts are overridable with If/Else.

As "User" and "Group" are supposed to be set once for the whole installation, and not to be modified by ".htaccess" or depending on Directory/Location context, therefore they are not on some default "AllowOverride" list, and you cannot simply put it into such context to make them overridable. Makes sense though, to force User/Group options to be valid only on top of apache internal "configuration tree".

To achieve behaviour you need in reasonable way, as I explained shortly in my comment, you should use "envvars" mechanism, available by default in Debian ( probably Ubuntu as well ).

In short, there's /etc/apache2/envvars file containing e.g.

unset HOME
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
    SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
else
    SUFFIX=
fi
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
export LANG=C
export LANG

It is sourced/inherited by /etc/init.d/apache2 startup script, so in httpd main config file (e.g. apache2.conf) the following section can be used

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

Simple modification of /etc/apache2/envvars would then let you get what you need. You can also change some default value for User/Group in compile settings for User/Group used on your OSX, and use the script on Ubuntu side only.