[CentOS] OT: SA/Apache "Best Practice"?

Fri Oct 31 18:12:57 UTC 2008
Paul Heinlein <heinlein at madboa.com>

On Fri, 31 Oct 2008, Camron W. Fox wrote:

> [Our customer has] asked, that we change the default directory 
> permission/ownership of /var/www/html,cgi-bin, instead of using the 
> Documentroot and ScriptAlias parameters in the apache configuration.
>
> drwxr-xr-x 2 root root 4096 Jan 11  2008 /var/www/cgi-bin
> drwxr-xr-x 2 root root 4096 Jan 11  2008 /var/www/html
>
> to
>
> drwxrwxr-x 2 root user 4096 Jan 11  2008 /var/www/cgi-bin
> drwxrwxr-x 2 root user 4096 Jan 11  2008 /var/www/html
>
> We have explained that it is preferable *not* to modify the default 
> filesystem configuration of the underlying OS and have recommended 
> that they customize the app by specifying a location of their choice 
> in httpd.conf. They argue that they "just want to use the system 
> default location". There is no *technical* reason for this, 
> according to them. The location does not affect the app.
>
> None of the other web servers we manage for them use the RHEL apache 
> default, they all have customized locations for content and scripts.
>
> My question is:
>
> What argument, if any, would you use to try and convince the 
> customer that this is a bad idea/bad practice?

Updates to the httpd package will overwrite those permissions, so 
there will need to be a cron job (or very vigilent SA) that monitors 
those perms, re-customizing them as necessary.

Otherwise, what they're asking isn't all that unusual, imo.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/