[CentOS] Simple web server with Apache: web page permissions ?
Filipe Brandenburger
filbranden at gmail.com
Tue Sep 15 14:11:16 UTC 2009
Hi,
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt
<ralph.angenendt at gmail.com> wrote:
> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>> I remember having setup some web servers on Debian, and the tradition
>> was that everything under /var/www/html (as in this example) was to be
>> owned by user www-data and group www-data.
>>
>> What's the "tradition" with RHEL/CentOS?
>
> apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can
break into your server through Apache will be able to change those
files (i.e., deface your website).
In Debian Apache runs under (IIRC) www-run which is different from www-data.
In other words, your files should be "readable" and not "writable" by
user Apache.
You might choose to achieve that by setting file permissions to 640
and directory permissions to 750 and ownership root:apache or
youruser:apache, or setting file/directory ownership to world-readable
and then any owner/group different than "apache" would do.
The only files you want writable by Apache are the ones that a web
application needs to write, like session files in PHP or config file
controlled by a web admin interface.
HTH,
Filipe
More information about the CentOS
mailing list