I have a site running drupal. The apache user therefore needs to be able to write certain files (CSS files for example).
I also have a directory under my web root which is a SAN mount, to which apache must be able to write.
What is the most secure way to implement this?
I am thinking:
chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write
Is there a better way?
S.
Stephen Nelson-Smith wrote:
I have a site running drupal. The apache user therefore needs to be able to write certain files (CSS files for example).
I also have a directory under my web root which is a SAN mount, to which apache must be able to write.
What is the most secure way to implement this?
I am thinking:
chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write
Yes, use acl and selinux.
-- Eero
Hi,
What is the most secure way to implement this?
I am thinking:
chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write
Yes, use acl and selinux.
Could you expand? Have you an example you could point me at? I'm happy to read any relevant documentation, but having a map helps.
S.
Hi,
On Fri, Nov 27, 2009 at 12:46 PM, Stephen Nelson-Smith stephen@atalanta-systems.com wrote:
I have a site running drupal. The apache user therefore needs to be able to write certain files (CSS files for example).
I also have a directory under my web root which is a SAN mount, to which apache must be able to write.
What is the most secure way to implement this?
I am thinking:
chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write
Is there a better way?
What is usually a good approach is to setup specific directories where Apache can write (like "files" or "images") and then disable PHP/other code execution from that directory. So if someone is able to hack your web app and upload something (malicious code) into that directory, it won't get executed.
To put it briefly: keep your executable code and upload directories separate.
Cheers, Peter
Hey
On Fri, Nov 27, 2009 at 10:46 AM, Stephen Nelson-Smith stephen@atalanta-systems.com wrote:
I have a site running drupal. The apache user therefore needs to be able to write certain files (CSS files for example).
I also have a directory under my web root which is a SAN mount, to which apache must be able to write.
What is the most secure way to implement this?
I am thinking:
chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write
Is there a better way?
This might be an idea http://www.faqs.org/docs/securing/chap29sec254.html
and this
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html
of course disabling execution of files in your upload dir is really important.
Cheers Didi
-
Eero Volotinen -
Geerd-Dietger Hoffmann -
Peter Peltonen -
Stephen Nelson-Smith