On 01/25/2014 07:32 AM, Steven Tardy wrote: > On Sat, Jan 25, 2014 at 7:33 AM, Joseph Hesse <joehesse at gmail.com> wrote: > >> I am running a Lamp server on a CentOS 6.5 box. It works fine, I am >> concerned that I may have the wrong file/dir permissions. >> >> The directories /var and /var/www are root:root and 755. >> >> For /var/www/html and all directories underneath I have apache:apache >> and 770. >> >> For all files under /var/www/html I have apache:apache and 660. >> >> Are these these permissions OK? >> >> Thank you, >> Joe >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > the problem with your /var/www/html permissions is the user/group "apache" > can write to directories and files. which can be used by anyone on the > internet(bad guys) to use potentially exploitable dynamic > pages(.php/.cgi/etc) to add/modify files on your server. this is a bad > thing. SELinux may offer some protections. > i would: > chmod -R g-w /var/www/html > chown -R somewebuser /var/www/html > (replace somewebuser with the unix user account to modify the website.) > > http://wiki.apache.org/httpd/FileSystemPermissions > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos I now understand, by rtfd, how to set it up so apache owns nothing and does not have write permission. For my understanding, please tell me what a bad guy would have to do to exploit apache having read/write permission. Thank you, Joe