[CentOS] Best way to secure apache web root

Fri Nov 27 13:53:27 UTC 2009
Peter Peltonen <peter.peltonen at gmail.com>

Hi,

On Fri, Nov 27, 2009 at 12:46 PM, Stephen Nelson-Smith
<stephen at atalanta-systems.com> wrote:
> I have a site running drupal.  The apache user therefore needs to be
> able to write certain files (CSS files for example).
>
> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
>
> What is the most secure way to implement this?
>
> I am thinking:
>
> chown -R root:apache /var/www/html
> chmod -R 0750 /var/www/html
> chown apache:apache for where need to write
>
> Is there a better way?

What is usually a good approach is to setup specific directories where
Apache can write (like "files" or "images") and then disable PHP/other
code execution from that directory. So if someone is able to hack your
web app and upload something (malicious code) into that directory, it
won't get executed.

To put it briefly: keep your executable code and upload directories separate.

Cheers,
Peter