The problems pointed out above by benlumley, i.e. log files and reserved ports, can easily be overcome by configuring the log directory and port in your httpd.conf.

benlumley 上面指出的问题，即日志文件和保留端口，可以通过在 httpd.conf 中配置日志目录和端口来轻松克服。

You can run Apache as any user. Just make sure that it is set up to only use allowed resources (directories, files and most importantly listening on a non privileged port).

您可以以任何用户身份运行 Apache。只需确保将其设置为仅使用允许的资源（目录、文件，最重要的是侦听非特权端口）。

To have it appear on HTTP's standard port 80 (which is priviledged) you will have to setup, as roota redirection to your real Apache server. The easiest way is probably using iptables. For example if your Apache server is listening on port 8080:

要让它出现在 HTTP 的标准端口 80（这是特权端口）上，您必须以root身份设置重定向到您的真实 Apache 服务器。最简单的方法可能是使用 iptables。例如，如果您的 Apache 服务器正在侦听端口 8080：

iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -j REDIRECT --to-port 8080

If you can not configure the server like this (or have your sysadmin do that once for all) you will have to use a non privileged port (something like Listen 8080) and access it using an URL that looks like http://www.example.com:8080/

如果您不能像这样配置服务器（或让您的系统管理员一劳永逸地配置），您将不得不使用非特权端口（类似于Listen 8080）并使用类似于http://www.example的 URL 访问它。 com:8080/

If you have sudo installed you can create a file: /etc/suduers.d/apache2reload with the following content:

如果您安装了 sudo，您可以创建一个文件：/etc/suduers.d/apache2reload，内容如下：

username    ALL=NOPASSWD:/usr/bin/service apache2 reload

Short answer: No

简短回答：否

The reason for it is that only root can bind ports below 1024.

原因是只有root才能绑定1024以下的端口。

Long answer: check out http://www.debian-administration.org/articles/386

长答案：查看http://www.debian-administration.org/articles/386

Once you overcome the problem with the ports, I don't think there will be any more trouble. Just remember that the user that apache runs under need to have write-access to the log files and maybe some other files as well.

一旦你克服了端口的问题，我认为不会再有麻烦了。请记住，运行 apache 的用户需要对日志文件以及其他一些文件具有写访问权限。

However, if you run it without sudo, the spawner will probably not be able to change the user, so apache will be being run as the user starting it, instead of the apache user.

但是，如果您在没有 sudo 的情况下运行它，生成器可能无法更改用户，因此 apache 将作为启动它的用户而不是 apache 用户运行。

But what is the reason you don't want to run sudo? It is only the spawner process that is being run as root, the rest of them are being run under the apache user.

但是您不想运行 sudo 的原因是什么？只有 spawner 进程以 root 身份运行，其余进程都在 apache 用户下运行。

If you don't want to give out sudo access, you can also create a setuid wrapper program. For example:

如果您不想授予 sudo 访问权限，您还可以创建一个 setuid 包装程序。例如：

httpdctrl.c

httpdctrl.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#include <strings.h>

// allow start/stop/restart of apache by non-root users

int main(int argc, char **argv)
{
  char *cmd, *cmd2, *usage;

  // UPDATE THIS LINE:
  cmd = "/your/path/to/httpd/sbin/apachectl";
  cmd2 = "apachectl";
  usage = "Usage: COMMAND [start|stop|restart]\n";

  if ( argc != 2 ) {
    printf(usage);
    exit(1);
  }

  setegid(0);
  seteuid(0);
  setgid(0);
  setuid(0);

  if ( strncmp(argv[1], "start", 5) == 0 ) {
    if (execl(cmd, cmd2, "start", (char*)0) < 0) {
     perror("Error");
    }
  } else if ( strncmp(argv[1], "stop", 4) == 0 ) {
    if (execl(cmd, cmd2, "stop", (char*)0) < 0) {
     perror("Error");
    }
  } else if ( strncmp(argv[1], "restart", 7) == 0 ) {
    if (execl(cmd, cmd2, "restart", (char*)0) < 0) {
     perror("Error");
    }
  } else {
    printf(usage);
    exit(1);
  }
  exit(0);
}

Update the path at:

更新路径：

  // UPDATE THIS LINE:
  cmd = "/your/path/to/httpd/sbin/apachectl";

Then compile and change permisions with

然后编译并更改权限

gcc -o httpdctrl httpdctrl.c
sudo chown root:root httpdctrl
sudo chmod u+s httpdctrl

Now the httpdctrl is owned by root, and setuid will run it as root.

现在 httpdctrl 归 root 所有，setuid 将以 root 身份运行它。

IMPORTANT: Make sure the start/stop script and all parent dirs are owned by root as well. Also remove write access to files and dirs for 'other'. Basically, you don't want someone to be able to edit or change the dirs/files that are executed with root.

重要提示：确保启动/停止脚本和所有父目录也归 root 所有。还要删除对“其他”的文件和目录的写访问权限。基本上，您不希望有人能够编辑或更改使用 root 执行的目录/文件。

The two problems I can think of that you need to overcome are:

我能想到的你需要克服的两个问题是：

1. Permissions on log files - these may well be already set to allow wwwrun to access them, but its often an issue.

2. Non root user accessing a privileged port (80) - not sure if/how you can change this.

1. 日志文件的权限 - 这些可能已经设置为允许 wwwrun 访问它们，但这通常是一个问题。

2. 非 root 用户访问特权端口 (80) - 不确定您是否/如何更改它。

I think you should be able to do this by granting execute access to the group owning the Apache control program (e.g., "chmod g+x apachectl"). If this is doesn't work by itself try also setting the owner SUID bit on the program (something along the lines of "chmod u+s apachectl").

我认为您应该能够通过向拥有 Apache 控制程序的组授予执行访问权限（例如，“chmod g+x apachectl”）来做到这一点。如果这本身不起作用，请尝试在程序上设置所有者 SUID 位（类似于“chmod u+s apachectl”）。

The first step allows users in your wwwrun group to execute the apachectl program. The second step makes it so that when the group runs the program, it runs with the program owners privileges.

第一步允许您的 wwwrun 组中的用户执行 apachectl 程序。第二步使得当该组运行程序时，它以程序所有者的权限运行。

Let me know if this works, I'm a little rusty with file execution SUID, but I can help look into it further if you still have problems.

让我知道这是否有效，我对文件执行 SUID 有点生疏，但如果您仍有问题，我可以帮助进一步研究。

Be sure you understand the consequences of setting the SUID bit before you do this though.

不过，在执行此操作之前，请确保您了解设置 SUID 位的后果。

You can view your privileges with sudo -l, from here you might find that you have access to the restart command, but maybe not start and stop.

您可以使用 sudo -l 查看您的权限，从这里您可能会发现您可以访问重启命令，但可能无法启动和停止。

Some link I found gave the most beneficial answer for this. Technically, it's still acting as root but you can chmod u+s the apache2 and apache2ctl (if you're also using the second) loading files. This allows you to run them with root access but still be of a user that holds the same permissions, keeping security intact (unless apache or apache2ctl were to do crazier things which I doubt they are).

我发现的一些链接为此提供了最有益的答案。从技术上讲，它仍然以 root 身份运行，但您可以 chmod u+s apache2 和 apache2ctl（如果您还使用第二个）加载文件。这允许您使用 root 访问权限运行它们，但仍然是拥有相同权限的用户，保持安全性不变（除非 apache 或 apache2ctl 做了我怀疑他们是的更疯狂的事情）。

You can "setuid" to allow non-root users to run apachectl as root (without having to authenticate as root).

您可以“setuid”以允许非 root 用户以 root 身份运行 apachectl（无需以 root 身份进行身份验证）。

Example

例子

Edit: Should mention that you require root access to set this up in the first place :-)

编辑：应该提到您首先需要 root 访问权限才能进行设置:-)