[CentOS] apache docroot permissions

Thu May 5 19:21:01 UTC 2011
Johan Martinez <jmartiee at gmail.com>

On Wed, May 4, 2011 at 7:38 PM, Gordon Messmer <yinyang at eburg.com> wrote:

> On 05/04/2011 12:49 PM, Johan Martinez wrote:
> > Thanks for the suggestions Richard and Kenneth. I installed drupal here
> > and it requires user running apache to have write access on filesystem.
> > Otherwise it complains: 'The directory sites/default/files is not
> > writable'. The content editors/developers need write access to
> > theme/pictures folders. So it seems like I can't avoid giving write
> > access to apache user. Any hacks or tips here?
>
> Tip 1:
> Your files and directories can have different permissions.  Rather than
> your original setup, try:
>
> chown -R apache:contenteditors /var/www/html
> find /var/www/html -type f -exec chmod 0464 {} +
> find /var/www/html -type d -exec chmod 2575 {} +
>
> or:
>
> chown -R apache:apache /var/www/html
> find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} +
> find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +
>
> Tip 2:
> Don't install drupal in /var/www/html.  Generally, /var/www/html should
> be used only for static content.  Web applications should be installed
> outside the document root to prevent a misconfiguration from allowing
> remote clients from downloading files that might contain configurations,
> passwords, or other sensitive information.  See the rpm packaged drupal
> for an example of how this is done.
>
> Tip 3:
> If your application says that it needs write access to
> "sites/default/files", then add write access only for that directory.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


Thanks for the suggestions everyone. I am using following config for now.

* Moved drupal install outside document root and used alias for the
namespace mapping.
* Filesystem ownership: apache:contenteditors
* Filesystem permissions: u=rx, g=rwx, group with sticky bit set. Exception
of 'sites/default/files' on which apache has write permissions.

jM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110505/1fd365de/attachment-0005.html>