Les Mikesell wrote: > Olaf Mueller wrote: >> Filipe Brandenburger wrote: >> >>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt >>> <ralph.angenendt at gmail.com> wrote: >>>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote: >>>>> I remember having setup some web servers on Debian, and the >>>>> tradition was that everything under /var/www/html (as in this >>>>> example) was to be owned by user www-data and group www-data. >>>>> >>>>> What's the "tradition" with RHEL/CentOS? >>>> apache:apache - at least that is the UID/GID the webserver runs >>>> under. >>> That's wrong. If your files are owned by Apache, any user that can >>> break into your server through Apache will be able to change those >>> files (i.e., deface your website). >> Why wrong? Concerning webdav, how would you get write acces for users >> to write to directories? >> >> Now I am a little bit confused, is your answer under >> http://www.linux-archive.org/centos/354005-webdav-centos.html also >> wrong now? You recommended apache:apache for webdav there. > > Webdav resources typically need write access. > >> By the way, if someone breaks into your server through Apache, >> apache:apache is your lowest problem, that's my opinion. > > It is a fairly high risk if you run server-side code (php, perl, etc) > for anything. It lets the intruder write where apache is allowed to > write. That doesn't have to be anywhere unless you permit uploads. Yes, that is also my opinion. The thing, which disturbed me, was the statement "That's wrong.". Since it is a risk, but not wrong. regards Olaf