[CentOS] Apache and web content permissions

Leon Fauster leonfauster at googlemail.com
Sat Dec 2 13:19:51 UTC 2017


> Am 02.12.2017 um 10:30 schrieb Nicolas Kovacs <info at microlinux.fr>:
> 
> Hi,
> 
> Until a few months ago, when I had to setup a web server under CentOS, I
> assigned (I'm not sure about the correct english verb for "chown"ing)
> all the web pages to the apache user and group. To give you an example,
> let's say I have a static website under /var/www/myserver on a CentOS
> server running Apache. Then I would configure permissions for the web
> content like this:
> 
> # chown -R apache:apache /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0750 {} \;
> # find /var/www/myserver -type f -exec chmod 0640 {} \;
> 
> Some time ago a fellow sysadmin (Remi Collet on the fr.centos.org forum)
> pointed out that this is malpractice in terms of security, and that the
> stuff under /var/www should *not* be owned by the user/group running the
> webserver. Which means that for the static website above, I could have
> something like this, for example:
> 
> # chown -R microlinux:microlinux /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0755 {} \;
> # find /var/www/myserver -type f -exec chmod 0644 {} \;
> 
> Or even this:
> 
> # chown -R nobody:nobody /var/www/myserver
> # find /var/www/myserver -type d -exec chmod 0755 {} \;
> # find /var/www/myserver -type f -exec chmod 0644 {} \;
> 
> Now I'm hosting quite a few Wordpress sites on various CentOS servers.
> Some stuff in Wordpress has to be writable by Apache. If I want to keep
> stuff as secure as possible, here's the permissions I have to define.
> 
> # cd /var/www
> # chown -R microlinux:microlinux wordpress-site/
> # find wordpress-site/ -type d -exec chmod 0755 {} \;
> # find wordpress-site/ -type f -exec chmod 0644 {} \;
> # cd wordpress-site/html
> # chown -R microlinux:apache wp-content/
> # find wp-content/ -type d -exec chmod 0775 {} \;
> # find wp-content/ -type f -exec chmod 0664 {} \;
> 
> As far as I know, this is the most secure setup for Wordpress as far as
> permissions are concerned. The problem is, I can't use automatic updates
> anymore. Whenever Wordpress releases a new version, I have to set
> permissions temporarily like this:
> 
> # chown -R apache:apache /var/www/wordpress-site
> 
> Then I can launch the update from within the Wordpress dashboard. And
> once the update is complete, I have to redefine sane permissions as
> above. Which is quite a bit tedious if you have two dozen Wordpress
> sites to manage, even if you have little scripts to define the permissions.
> 
> So I'm finally coming to my question. How problematic is it really to
> have the apache user and group owning the stuff under /var/www? I admit
> I followed the users' advice out of respect for his competence. But as
> far as I know, sometimes you get security advice where the resulting
> hassle far outweighs the real benefits.
> 
> Any suggestions?


I would build a rpm package of wordpress (everything can be defined there like permissions etc) 
and disabling the automatic update function in wordpress. Build once it can be installed on all
(two dozen) webservers automagically (local yum repository) ...

--
LF



 





More information about the CentOS mailing list