[CentOS] Simple web server with Apache: web page permissions ?

Brian Mathis brian.mathis at gmail.com
Tue Sep 15 14:05:35 UTC 2009


On Tue, Sep 15, 2009 at 6:39 AM, Ralph Angenendt
<ralph.angenendt at gmail.com> wrote:
>
> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>> I remember having setup some web servers on Debian, and the tradition
>> was that everything under /var/www/html (as in this example) was to be
>> owned by user www-data and group www-data.
>>
>> What's the "tradition" with RHEL/CentOS?
>
> apache:apache - at least that is the UID/GID the webserver runs under.
>
> Ralph
>

This is EXTREMELY DANGEROUS!!!!  Do NOT give the same ownership to the
files as the user/group that apache runs as!  As apache runs as
apache:apache, setting all of the files with that same owner/group
gives everyone on the Internet the possibility to write to any web
server files on your server.  DO NOT DO THIS!!!

If there's a bug that allows file write access in apache or in any of
the program files you run as cgi/php/etc..., then an attacker can
write to anywhere in your web site/web app, and gain access to pretty
much the entire server.  They could plant malware that is served up to
all your web users, implant programs that you might run yourself or as
root, possibly open up shell access and login to your server, etc...

The correct permissions for all of your web files are any user that
the web server is NOT running as.  If your web apps need the ability
to upload files or to write to specific files, you will have to change
those exceptions to apache:apache, but keep that as minimal as
possible.



More information about the CentOS mailing list