[CentOS] Apache and web content permissions

Sat Dec 2 21:26:11 UTC 2017
Richard <lists-centos at listmail.innovate.net>


> Date: Saturday, December 02, 2017 22:14:19 +0100
> From: Nicolas Kovacs <info at microlinux.fr>
>
> Le 02/12/2017 à 10:30, Nicolas Kovacs a écrit :
> 
> ==> Reminder: this is actually the question I'm asking in my post.
> 
>> So I'm finally coming to my question. How problematic is it really
>> to have the apache user and group owning the stuff under /var/www?

I think very, especially when running something like wordpress. WP
has (had) a history of some rather serious security issues. Even if
they are resolved, having the user that runs the apache server own
(or even have write access to) the directories and files that it has
access to leaves you totally vulnerable to someone breaking through
the server. I'm not so worried about apache proper (though struts was
the equifax vector apparently) but more about any scripting that one
may have on the site. All it takes is a bad script or two for your
site to be totally taken over.