httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Folder Permissions
Date Fri, 06 Jun 2003 14:48:12 GMT

On Fri, 6 Jun 2003, Mario Antonio wrote:
> Sorry if this a stupid question.
> If a file is owned by the Apache user (www), can that file somehow be
> modified by a internet visitor ( let's say: a hacker) since that user is
> using Apache to make that connection?

In a properly configured system with no "unsafe" cgi/php/perl scripts, it
is not possible for a hacker to modify anything on the server, regardless
of ownership.  It is true, however, that any flaw in apache or one of its
scripts will compromise the apache user first.

So yes, it is somewhat risky to have anything on the server owned by the
apache user.  But it is usually a reasonable risk in a tightly controlled
system.  It is probably not a reasonable risk if you have untrusted people
writing cgi/php/perl scripts.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message