On Tue, Sep 15, 2009 at 11:58 AM, Olaf Mueller <daily-planet at istari.de> wrote: > Filipe Brandenburger wrote: >> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt >> <ralph.angenendt at gmail.com> wrote: >>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote: >>>> I remember having setup some web servers on Debian, and the >>>> tradition was that everything under /var/www/html (as in this >>>> example) was to be owned by user www-data and group www-data. >>>> >>>> What's the "tradition" with RHEL/CentOS? >>> >>> apache:apache - at least that is the UID/GID the webserver runs >>> under. >> >> That's wrong. If your files are owned by Apache, any user that can >> break into your server through Apache will be able to change those >> files (i.e., deface your website). > Why wrong? Concerning webdav, how would you get write acces for users to > write to directories? > > Now I am a little bit confused, is your answer under > http://www.linux-archive.org/centos/354005-webdav-centos.html also > wrong now? You recommended apache:apache for webdav there. > One must think about the application at hand and not make blanket statements about this or that. Obviously, as noted above, anything that needs write access to the server disk will need to be owned by the user who is running apache. WebDAV would clearly be one of those cases, while hosting a web site would not. You are being disingenuous here by selectively editing out the relevant quoted text from the same message above, which I will add back in as a quote here: > Filipe Brandenburger wrote: > The only files you want writable by Apache are the ones that a web > application needs to write, like session files in PHP or config file > controlled by a web admin interface. > By the way, if someone breaks into your server through Apache, > apache:apache is your lowest problem, that's my opinion. > > regards > Olaf This statement is quite silly. The type of configuration above could be the vector by which the server is compromised, so it is not at all the lowest problem. In that case it WOULD *BE* the problem.