[CentOS] Simple web server with Apache: web page permissions ?

[Jim Perrin]

On Tue, Sep 15, 2009 at 4:20 AM, Niki Kovacs <contact at kikinovak.net> wrote:
> Hi,

> Q: what permissions should I define for these pages?

I'd say, the most restrictive permissions possible, that still allow
your web application to function. I'm a bit more security
conscious/paranoid than most though.

There are an array of things to consider when you're asking about this
sort of thing.
1. Is it a simple server where the person setting things up has the
keys to the castle everywhere, or do you have a 'web group' who can
only deposit pages, but have no other additional privileges and no
root access?

2. Are you hosting static content or dynamic pages?

> I remember having setup some web servers on Debian, and the tradition
> was that everything under /var/www/html (as in this example) was to be
> owned by user www-data and group www-data.
>
> What's the "tradition" with RHEL/CentOS?

The default in centos is root ownership, with read privs so the web
server running as apache can hand them out. This is fine for static
content in a basic setup. Some content management systems require that
the web server be able to create files, in which case Ralph's
recommendation of apache:apache ownership is correct.  The downside to
this is that if someone compromises that software through a php
exploit or bad code, they can make changes since they're operating as
the apache user.

I would suggest that you mix the two ideologies as much as possible.
Have root own everything that doesn't change, and display it with 644
permissions. Then let the apache user own the dynamic content areas.

The whole idea is to assume that at some point, someone *is* going to
get in, and you need to plan to minimize the impact when they do. By
planning things out in this way, you can keep your system much more
secure, and prevent nearly all break-ins before they occur.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell