On Mon, 2011-01-31 at 18:05 +0100, Nicolas Thierry-Mieg wrote:
so you prefer giving the apache user write access to /var/www ? Is this really a good thing...? I agree with the group advice though, if you have several users modifying the website content of course.
Apache is wonderfully flexible where "root" or "base" directories can be created for USER applications.
There is absolutely NO need to let any HTML user rummage around in /var/www/. My advice is keep them well-out and disable any dodgy 'Alias' links.
All my web sites are created as virtual hosts and the base directories start at /data/web/domain-name/public/. Thus no web user gets the chance of roaming anywhere except above /data/web/domain-name/public/. PHP routines used on web pages are in /data/sys to which no web user can get access.
Also avoid having phpMyAdmin off the main web directory. Ordinary users don't need access and should never have access to it. Hide it away somewhere and create a virtual Apache host to use it with a non-standard port number. Make it hard for the hackers and spoilers to find it.
/data is a directory created in the operating system's root directory and may reside on its own partition.