[CentOS] apache docroot permissions

Thu May 5 00:38:57 UTC 2011
Gordon Messmer <yinyang at eburg.com>

On 05/04/2011 12:49 PM, Johan Martinez wrote:
> Thanks for the suggestions Richard and Kenneth. I installed drupal here
> and it requires user running apache to have write access on filesystem.
> Otherwise it complains: 'The directory sites/default/files is not
> writable'. The content editors/developers need write access to
> theme/pictures folders. So it seems like I can't avoid giving write
> access to apache user. Any hacks or tips here?

Tip 1:
Your files and directories can have different permissions.  Rather than 
your original setup, try:

chown -R apache:contenteditors /var/www/html
find /var/www/html -type f -exec chmod 0464 {} +
find /var/www/html -type d -exec chmod 2575 {} +


chown -R apache:apache /var/www/html
find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} +
find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +

Tip 2:
Don't install drupal in /var/www/html.  Generally, /var/www/html should 
be used only for static content.  Web applications should be installed 
outside the document root to prevent a misconfiguration from allowing 
remote clients from downloading files that might contain configurations, 
passwords, or other sensitive information.  See the rpm packaged drupal 
for an example of how this is done.

Tip 3:
If your application says that it needs write access to 
"sites/default/files", then add write access only for that directory.