httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Street" <bstr...@clearsightnet.com>
Subject RE: [users@httpd] Apache2 on Debian
Date Tue, 24 Jan 2006 17:37:03 GMT
Kermit,

Yes, that does clarify things quite a bit.

Thank you,
Brian.

-----Original Message-----
From: Kermit Short [mailto:k_short@lanl.gov] 
Sent: Tuesday, January 24, 2006 9:30 AM
To: bstreet@clearsightnet.com; users@httpd.apache.org
Subject: RE: [users@httpd] Apache2 on Debian

Brian-
	Well, you're starting to get into sticky ground.  When uploading to
the directory, you'll need it to be world Writeable as well as readable.  In
this situation, I've usually created a group (I.E. wwwuser) and have the
directory tree and all subs owned by root:wwwuser.  Add the apache user (in
the case of debian that's www-data) as well as any users that will need
write/read access to the directory structure.  Then, make sure that your
directory structure is Group +RW and you'll be OK.  If your FTP daemon runs
as a specific UID, you may also need to add that UID to the group "wwwuser".
I hope that clarifies things!

Kermit Short
System Administrator
CCN-DC-1 D-Div
 
ph: 7-6360
pg: 4-5165
em: k_short@lanl.gov

-----Original Message-----
From: Brian Street [mailto:bstreet@clearsightnet.com] 
Sent: Tuesday, January 24, 2006 8:19 AM
To: 'Kermit Short'; users@httpd.apache.org
Subject: RE: [users@httpd] Apache2 on Debian

Kermit,

The reason I asked was that I seem to remember (been a long time since I
installed and configured apache) that it was suggested that the directory
that holds the web site (/var/www) be owned by someone other than root (such
as www-data:www-data) and the other directories were owned by root.

I haven't seen anything to that effect with my readings though so I wondered
if security, etc. had improved so much that it wasn't necessary.

I wanted to be able to update the directory without using root via sftp so I
was planning on providing that capability to a different account (from root
and www-data). It appears from your response that I can do what I was
planning as long as the directory is world readable.

Thank you,
Brian.

-----Original Message-----
From: Kermit Short [mailto:k_short@lanl.gov] 
Sent: Tuesday, January 24, 2006 7:04 AM
To: users@httpd.apache.org; bstreet@clearsightnet.com
Subject: RE: [users@httpd] Apache2 on Debian

Brian-
	Your question depends on what you mean by "everything".  If you're
talking strictly about the directories that hold static files, it's fine
that root owns it.  Please note, however, that that it should be "world
readable" or else the www-data user/group won't be able to even read it, and
therefore won't be able to serve it out.
	On the other hand, if you are talking about file systems such as CGI
directories (usually defined in the <Directory /cgi-bin> directive),
permissions should be carefully planned and analyzed, as malicious users
could do great damage to yours and other systems if these are improperly
set.
	Finally, if you have other processes running that will need to
access portions of your file system, you'll need to make sure that those
UIDs have been added to the necessary group, or that the proper world-scoped
permissions have been applied to the necessary parts of the file tree.

Hope that helps!

Kermit Short
System Administrator
CCN-DC-1 D-Div
 
ph: 7-6360
pg: 4-5165
em: k_short@lanl.gov
-----Original Message-----
From: Brian Street [mailto:bstreet@clearsightnet.com] 
Sent: Monday, January 23, 2006 3:36 PM
To: users@httpd.apache.org
Subject: [users@httpd] Apache2 on Debian

Hello everyone,

I'm interested in whether or not people running Apache2 on Debian 3.1 create
a separate user for the web directory (/var/www/xxx).

The default install has root owning everything, but starting the web server
as www-data.

Thank you,
Brian.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message