Olaf Mueller wrote:
Filipe Brandenburger wrote:
On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt ralph.angenendt@gmail.com wrote:
On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
I remember having setup some web servers on Debian, and the tradition was that everything under /var/www/html (as in this example) was to be owned by user www-data and group www-data.
What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under.
That's wrong. If your files are owned by Apache, any user that can break into your server through Apache will be able to change those files (i.e., deface your website).
Why wrong? Concerning webdav, how would you get write acces for users to write to directories?
Now I am a little bit confused, is your answer under http://www.linux-archive.org/centos/354005-webdav-centos.html also wrong now? You recommended apache:apache for webdav there.
Webdav resources typically need write access.
By the way, if someone breaks into your server through Apache, apache:apache is your lowest problem, that's my opinion.
It is a fairly high risk if you run server-side code (php, perl, etc) for anything. It lets the intruder write where apache is allowed to write. That doesn't have to be anywhere unless you permit uploads.