[CentOS] apache docroot permissions

Wed May 4 20:34:45 UTC 2011
Johnny Hughes <johnny at centos.org>

On 05/04/2011 02:49 PM, Johan Martinez wrote:
> On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter <shiva at sewingwitch.com
> <mailto:shiva at sewingwitch.com>> wrote:
>     User apache only needs read access except under special conditions,
>     such as
>     a script that needs to store configuration in a file. And a lot of apps
>     store their state in a DB so they don't need filesystem write access at
>     all.
>     Set the permissions as strict as possible, so that if an attacker
>     finds a
>     bug in apache, he does as little damage as possible.
>     _______________________________________________
>     CentOS mailing list
>     CentOS at centos.org <mailto:CentOS at centos.org>
>     http://lists.centos.org/mailman/listinfo/centos
> Thanks for the suggestions Richard and Kenneth. I installed drupal here
> and it requires user running apache to have write access on filesystem.
> Otherwise it complains: 'The directory sites/default/files is not
> writable'. The content editors/developers need write access to
> theme/pictures folders. So it seems like I can't avoid giving write
> access to apache user. Any hacks or tips here?

You may not need it in this case, but you can set up your mount using
acls, then use setfacl to assign more than just one group or user to
have permissions on a directory.  You can keep that in mind if httpd
gets upset about having a different group than apache.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20110504/41ed1281/attachment-0005.sig>