On Tue, Jan 29, 2008 at 11:25 AM, Niki Kovacs <contact at kikinovak.net> wrote: > Hi, > > I'm currently setting up a simple web server. So far, everything (PHP, > MySQL) works very well, but I admit I never gave security that much > thought. Time to change that habit. > > First things first. The RHEL Deployment Guide lists Apache's > configuration directives alphabetically. Instead of going through them > from A to Z, I'll try to start with what seems more important, and then > advance step by step. > > User apache > Group apache > > As far as I understand, I have to chown all my web content accordingly, > so that everything below /var/www/html belongs to apache:apache. Right? > > cheers, > Niki Apache needs to be able to read web files, but in most cases it should NOT own them. If it owns them, there is a potential for the apache server process to change them, which you don't want. If someone were to compromise the apache server, they would be able to embed whatever they want into the web page files. There are some cases when you might want apache to be able to write to files, but those are less frequent, so you should only change those specific files to apache ownership, or change the group permissions to allow writing from the group, and add apache to that group.