Hi,
I'm currently setting up a simple web server. So far, everything (PHP, MySQL) works very well, but I admit I never gave security that much thought. Time to change that habit.
First things first. The RHEL Deployment Guide lists Apache's configuration directives alphabetically. Instead of going through them from A to Z, I'll try to start with what seems more important, and then advance step by step.
User apache Group apache
As far as I understand, I have to chown all my web content accordingly, so that everything below /var/www/html belongs to apache:apache. Right?
cheers,
Niki
On Jan 29, 2008 11:25 AM, Niki Kovacs contact@kikinovak.net wrote:
As far as I understand, I have to chown all my web content accordingly, so that everything below /var/www/html belongs to apache:apache. Right?
You can, but but I would only recommend doing that where the webserver itself will be responsible for changing files.
If apache owns everything in that directory, then it can modify them. This can potentially be undesirable. Depending on what you're doing, you'll have to mix and match permissions as needed. Mostly apache just needs to be able to read stuff, so having root own it with 644 is fine. If you're using a CMS which allows folks to edit things via the webserver, then those will have to be owned by apache, or apache will otherwise need rights to modify them. Have I made that muddled and complex enough?
Jim Perrin a écrit :
If apache owns everything in that directory, then it can modify them. This can potentially be undesirable. Depending on what you're doing, you'll have to mix and match permissions as needed. Mostly apache just needs to be able to read stuff, so having root own it with 644 is fine. If you're using a CMS which allows folks to edit things via the webserver, then those will have to be owned by apache, or apache will otherwise need rights to modify them. Have I made that muddled and complex enough?
Yes! :o)
Most of the hosted stuff is indeed CMS, so I'll go for apache:apache.
Cheers,
Niki
On Tue, Jan 29, 2008 at 11:25 AM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
I'm currently setting up a simple web server. So far, everything (PHP, MySQL) works very well, but I admit I never gave security that much thought. Time to change that habit.
First things first. The RHEL Deployment Guide lists Apache's configuration directives alphabetically. Instead of going through them from A to Z, I'll try to start with what seems more important, and then advance step by step.
User apache Group apache
As far as I understand, I have to chown all my web content accordingly, so that everything below /var/www/html belongs to apache:apache. Right?
cheers, Niki
Apache needs to be able to read web files, but in most cases it should NOT own them. If it owns them, there is a potential for the apache server process to change them, which you don't want. If someone were to compromise the apache server, they would be able to embed whatever they want into the web page files.
There are some cases when you might want apache to be able to write to files, but those are less frequent, so you should only change those specific files to apache ownership, or change the group permissions to allow writing from the group, and add apache to that group.
On Tuesday, January 29, 2008 11:51 AM -0500 Brian Mathis brian.mathis@gmail.com wrote:
There are some cases when you might want apache to be able to write to files, but those are less frequent, so you should only change those specific files to apache ownership, or change the group permissions to allow writing from the group, and add apache to that group.
It would be nice if the initscript supported running multiple instances of Apache as different users. (See the VNC service for a case where this is done.) For example, a default installation for general web use, and another installation for BackupPC running as backuppc.backuppc. Or another installation running as user asterisk to run one's PBX.
-
Brian Mathis -
Jim Perrin -
Kenneth Porter -
Niki Kovacs