[CentOS] Simple web server with Apache: web page permissions ?

Brian Mathis brian.mathis at gmail.com
Tue Sep 15 16:09:22 UTC 2009 

On Tue, Sep 15, 2009 at 11:58 AM, Olaf Mueller <daily-planet at istari.de> wrote:
> Filipe Brandenburger wrote:
>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt
>> <ralph.angenendt at gmail.com> wrote:
>>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>>>> I remember having setup some web servers on Debian, and the
>>>> tradition was that everything under /var/www/html (as in this
>>>> example) was to be owned by user www-data and group www-data.
>>>>
>>>> What's the "tradition" with RHEL/CentOS?
>>>
>>> apache:apache - at least that is the UID/GID the webserver runs
>>> under.
>>
>> That's wrong. If your files are owned by Apache, any user that can
>> break into your server through Apache will be able to change those
>> files (i.e., deface your website).
> Why wrong? Concerning webdav, how would you get write acces for users to
> write to directories?
>
> Now I am a little bit confused, is your answer under
> http://www.linux-archive.org/centos/354005-webdav-centos.html also
> wrong now? You recommended apache:apache for webdav there.
>

One must think about the application at hand and not make blanket
statements about this or that.  Obviously, as noted above, anything
that needs write access to the server disk will need to be owned by
the user who is running apache.  WebDAV would clearly be one of those
cases, while hosting a web site would not.

You are being disingenuous here by selectively editing out the
relevant quoted text from the same message above, which I will add
back in as a quote here:

        > Filipe Brandenburger wrote:
        > The only files you want writable by Apache are the ones that a web
        > application needs to write, like session files in PHP or config file
        > controlled by a web admin interface.


> By the way, if someone breaks into your server through Apache,
> apache:apache is your lowest problem, that's my opinion.
>
> regards
> Olaf

This statement is quite silly.  The type of configuration above could
be the vector by which the server is compromised, so it is not at all
the lowest problem.  In that case it WOULD *BE* the problem.

More information about the CentOS mailing list