[CentOS] Apache: User and Group

Tue Jan 29 16:51:21 UTC 2008
Brian Mathis <brian.mathis at gmail.com>

On Tue, Jan 29, 2008 at 11:25 AM, Niki Kovacs <contact at kikinovak.net> wrote:
> Hi,
>
>  I'm currently setting up a simple web server. So far, everything (PHP,
>  MySQL) works very well, but I admit I never gave security that much
>  thought. Time to change that habit.
>
>  First things first. The RHEL Deployment Guide lists Apache's
>  configuration directives alphabetically. Instead of going through them
>  from A to Z, I'll try to start with what seems more important, and then
>  advance step by step.
>
>  User apache
>  Group apache
>
>  As far as I understand, I have to chown all my web content accordingly,
>  so that everything below /var/www/html belongs to apache:apache. Right?
>
>  cheers,
>  Niki

Apache needs to be able to read web files, but in most cases it should
NOT own them.  If it owns them, there is a potential for the apache
server process to change them, which you don't want.  If someone were
to compromise the apache server, they would be able to embed whatever
they want into the web page files.

There are some cases when you might want apache to be able to write to
files, but those are less frequent, so you should only change those
specific files to apache ownership, or change the group permissions to
allow writing from the group, and add apache to that group.