[CentOS] Simple web server with Apache: web page permissions ?
Filipe Brandenburger
filbranden at gmail.com
Tue Sep 15 16:22:41 UTC 2009
Hi,
On Tue, Sep 15, 2009 at 11:58, Olaf Mueller <daily-planet at istari.de> wrote:
> Filipe Brandenburger wrote:
>
>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt <ralph.angenendt at gmail.com> wrote:
>>> apache:apache - at least that is the UID/GID the webserver runs
>>> under.
>>
>> That's wrong. If your files are owned by Apache, any user that can
>> break into your server through Apache will be able to change those
>> files (i.e., deface your website).
>
> Why wrong? Concerning webdav, how would you get write acces for users to
> write to directories?
Well, that is not the use case presented by the OP:
On Tue, Sep 15, 2009 at 04:20, Niki Kovacs <contact at kikinovak.net> wrote:
> Let's say I'm using Apache's default configuration for setting up the
> most simple no-frills web server, e. g. no virtual hosts, only a series
> of static HTML pages in /var/www/html.
Obviously, if you want to set up Apache to serve WebDAV with write
access you will need to set the permissions to the files in a way that
Apache is able to write to the files. There are many other cases that
might justify that, but that should not be done every time, as much as
you should not run "chmod 777" or "kill -9" without thinking about
what you are doing and knowing the consequences of those commands.
However, if you are serving files that are not supposed to be modified
by Apache or a web application running under it, they should *not* be
writable by the Apache user. Making them writable by the Apache user
will only increase the potential for damage should your webserver be
hacked. But it's good to point that out since that is a very common
mistake among beginner (and even more seasoned!) sysadmins.
HTH,
Filipe
More information about the CentOS
mailing list