[CentOS] /var/www/html

[Paul Heinlein]

On Mon, 7 Nov 2005, JC wrote:

> by default, /var/www/html/ folder is under user/group root.  Is it a 
> good idea to change this to apache user/group?  I'm trying to set up 
> web server box using CentOS 4.2.  Any idea how this change can 
> effect the system and php programming?  Any pros & cons for this 
> change???

If the apache user owns the /var/www/html tree, then any httpd process 
can write into that file space. That's probably not at all what you 
want unless you're running Apache with extremely tight access controls 
and wire-level crypto.

There are occasions when the apache user needs to be able to write to 
files -- wikis and webdav are good examples -- but usually the 
directories available to those processes are clearly identified.

Having the apache group own the tree is subtly different. On a 
multi-user system, giving the apache group read access to 
/var/www/html and then running "chmod -R o-rwx" against that tree can 
prevent unauthorized local users from poking around the web tree and 
potentially bypassing Apache's access controls.

> Any security risk to have /var/www/html/ folder under user/group 
> root?

None per se, though you probably don't want to have to provide sudo 
access just for people to publish web pages. Typically, I think, 
different user groups are given write-access to different parts 
of the /var/www/html tree so they can maintain their content.

Also, if you're actively running SELinux, you'll need to pay attention 
to the security-context attributes of files/directories you create. 
Do "ls -Z" to see what's up.

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com