On Tue, Sep 15, 2009 at 6:39 AM, Ralph Angenendt <ralph.angenendt at gmail.com> wrote: > > On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote: >> I remember having setup some web servers on Debian, and the tradition >> was that everything under /var/www/html (as in this example) was to be >> owned by user www-data and group www-data. >> >> What's the "tradition" with RHEL/CentOS? > > apache:apache - at least that is the UID/GID the webserver runs under. > > Ralph > This is EXTREMELY DANGEROUS!!!! Do NOT give the same ownership to the files as the user/group that apache runs as! As apache runs as apache:apache, setting all of the files with that same owner/group gives everyone on the Internet the possibility to write to any web server files on your server. DO NOT DO THIS!!! If there's a bug that allows file write access in apache or in any of the program files you run as cgi/php/etc..., then an attacker can write to anywhere in your web site/web app, and gain access to pretty much the entire server. They could plant malware that is served up to all your web users, implant programs that you might run yourself or as root, possibly open up shell access and login to your server, etc... The correct permissions for all of your web files are any user that the web server is NOT running as. If your web apps need the ability to upload files or to write to specific files, you will have to change those exceptions to apache:apache, but keep that as minimal as possible.