[CentOS] Web server files ownership?

Fri Jul 7 10:25:29 UTC 2017
Nicolas Kovacs <info at microlinux.fr>

Hi,

I have a series of websites hosted on two CentOS 7 servers, using Apache
virtual hosts. One of these servers is a "sandbox" machine, to test
things and to fiddle around.

On the sandbox server, I have a few dummy websites I'm hosting.

# ls /var/www/html/
default  phpinfo  slackbox-mail  slackbox-site  unixbox-mail  unixbox-site

Since Apache is running as system user 'apache' and system group
'apache', I thought it sensible that hosted files be owned by that process.

# ls -l /var/www/html/
total 24
drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site

Directories are all drwxr-x---, while files are -rw-r-----.

Now some guy on the french forum fr.centos.org told me that I got
everything wrong, and that my setup is a security flaw, without
elaborating any further though.

So I thought I'd ask on this list (which is a little bit more urbane
than the french forum).

1. What is wrong with my setup ?

2. What do you suggest ?

BTW, I don't mind to RTFM, even extensively.

Cheers from the sunny South of France,

Niki Kovacs

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32