[CentOS] Is it bad for my web document folder to be user accessible?

[Jim Perrin]

On 9/19/05, Dave Gutteridge <dave at tokyocomedy.com> wrote:
>
> PHP and MySQL seem to working on my CentOS installation.
> I'd like to install phpMyAdmin as well, so I downloaded the necessary
> files from phpMyAdmin's homepage and copied them to /var/www/html...
>
> ... except that's where the process stopped. My regular user account
> doesn't have permission to write into the /var/www/html folder.
>

Some things to consider here. You may want to make a web group, add
your user to it, and make /var/www/html writeable by members of that
group. then you won't need to be root, or worry about any other users
who should not have access connecting.

> Should I just chmod the folder to 777? Is there a reason it's not
> already user accessible?

No. this is a bad idea. It's not user accessible to protect it from
users. you don't want people being able to rewrite files without
making sure they should be able to. If you change the permissions as
you say, there's nothing to stop a malicious user from rewriting it to
break, email passwords to them, alter your db, etc...

>
> This is a local machine where I'll be testing web pages of my own
> design, and not accessible from the web.
>

good. php-myadmin should NOT be wide open to the world.

> Or at least I hope not. If I'm running an Apache server just for local
> files, it's not being seen on the web, is it?
>

Depends on how you have your config set. You could add a section to
httpd.conf and restrict myadmin to local network ips, or ideally, just
localhost.

I'd also recommend only making it accessible over https, using cookie
or http based auth instead of config based auth etc.

If you want more detail on anything I'v mentioned, let me know. I'm
being brief because I'm not sure which way you want to go yet.

--
Jim Perrin
System Administrator - UIT
Ft Gordon & US Army Signal Center