Hi,
Until a few months ago, when I had to setup a web server under CentOS, I assigned (I'm not sure about the correct english verb for "chown"ing) all the web pages to the apache user and group. To give you an example, let's say I have a static website under /var/www/myserver on a CentOS server running Apache. Then I would configure permissions for the web content like this:
# chown -R apache:apache /var/www/myserver # find /var/www/myserver -type d -exec chmod 0750 {} ; # find /var/www/myserver -type f -exec chmod 0640 {} ;
Some time ago a fellow sysadmin (Remi Collet on the fr.centos.org forum) pointed out that this is malpractice in terms of security, and that the stuff under /var/www should *not* be owned by the user/group running the webserver. Which means that for the static website above, I could have something like this, for example:
# chown -R microlinux:microlinux /var/www/myserver # find /var/www/myserver -type d -exec chmod 0755 {} ; # find /var/www/myserver -type f -exec chmod 0644 {} ;
Or even this:
# chown -R nobody:nobody /var/www/myserver # find /var/www/myserver -type d -exec chmod 0755 {} ; # find /var/www/myserver -type f -exec chmod 0644 {} ;
Now I'm hosting quite a few Wordpress sites on various CentOS servers. Some stuff in Wordpress has to be writable by Apache. If I want to keep stuff as secure as possible, here's the permissions I have to define.
# cd /var/www # chown -R microlinux:microlinux wordpress-site/ # find wordpress-site/ -type d -exec chmod 0755 {} ; # find wordpress-site/ -type f -exec chmod 0644 {} ; # cd wordpress-site/html # chown -R microlinux:apache wp-content/ # find wp-content/ -type d -exec chmod 0775 {} ; # find wp-content/ -type f -exec chmod 0664 {} ;
As far as I know, this is the most secure setup for Wordpress as far as permissions are concerned. The problem is, I can't use automatic updates anymore. Whenever Wordpress releases a new version, I have to set permissions temporarily like this:
# chown -R apache:apache /var/www/wordpress-site
Then I can launch the update from within the Wordpress dashboard. And once the update is complete, I have to redefine sane permissions as above. Which is quite a bit tedious if you have two dozen Wordpress sites to manage, even if you have little scripts to define the permissions.
So I'm finally coming to my question. How problematic is it really to have the apache user and group owning the stuff under /var/www? I admit I followed the users' advice out of respect for his competence. But as far as I know, sometimes you get security advice where the resulting hassle far outweighs the real benefits.
Any suggestions?
Cheers,
Niki