Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 31376 invoked from network); 24 Jan 2006 17:30:51 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 24 Jan 2006 17:30:51 -0000 Received: (qmail 85446 invoked by uid 500); 24 Jan 2006 17:30:40 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 85437 invoked by uid 500); 24 Jan 2006 17:30:40 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 85426 invoked by uid 99); 24 Jan 2006 17:30:40 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Jan 2006 09:30:40 -0800 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=RCVD_IN_BL_SPAMCOP_NET,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of k_short@lanl.gov designates 192.65.95.54 as permitted sender) Received: from [192.65.95.54] (HELO mailwasher-b.lanl.gov) (192.65.95.54) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Jan 2006 09:30:39 -0800 Received: from oppie-mail.lanl.gov (oppie-mail.lanl.gov [128.165.4.123]) by mailwasher-b.lanl.gov (8.12.11/8.12.11/(ccn-5)) with ESMTP id k0OHUIJp027310 for ; Tue, 24 Jan 2006 10:30:18 -0700 Received: from crash (crash.lanl.gov [128.165.13.31]) by oppie-mail.lanl.gov (8.12.11/8.12.11/(ccn-5)) with ESMTP id k0OHUDkN025772; Tue, 24 Jan 2006 10:30:16 -0700 Message-Id: <200601241730.k0OHUDkN025772@oppie-mail.lanl.gov> From: "Kermit Short" To: , Date: Tue, 24 Jan 2006 10:30:13 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <005101c620f9$751e3fa0$800101df@cinco.AppDancer.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcYg+YXHXEIzpanGSY+z6bpjzP58MwAEfZ/Q X-PMX-Version: 4.7.1.128075 X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Apache2 on Debian X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Brian- Well, you're starting to get into sticky ground. When uploading to the directory, you'll need it to be world Writeable as well as readable. In this situation, I've usually created a group (I.E. wwwuser) and have the directory tree and all subs owned by root:wwwuser. Add the apache user (in the case of debian that's www-data) as well as any users that will need write/read access to the directory structure. Then, make sure that your directory structure is Group +RW and you'll be OK. If your FTP daemon runs as a specific UID, you may also need to add that UID to the group "wwwuser". I hope that clarifies things! Kermit Short System Administrator CCN-DC-1 D-Div ph: 7-6360 pg: 4-5165 em: k_short@lanl.gov -----Original Message----- From: Brian Street [mailto:bstreet@clearsightnet.com] Sent: Tuesday, January 24, 2006 8:19 AM To: 'Kermit Short'; users@httpd.apache.org Subject: RE: [users@httpd] Apache2 on Debian Kermit, The reason I asked was that I seem to remember (been a long time since I installed and configured apache) that it was suggested that the directory that holds the web site (/var/www) be owned by someone other than root (such as www-data:www-data) and the other directories were owned by root. I haven't seen anything to that effect with my readings though so I wondered if security, etc. had improved so much that it wasn't necessary. I wanted to be able to update the directory without using root via sftp so I was planning on providing that capability to a different account (from root and www-data). It appears from your response that I can do what I was planning as long as the directory is world readable. Thank you, Brian. -----Original Message----- From: Kermit Short [mailto:k_short@lanl.gov] Sent: Tuesday, January 24, 2006 7:04 AM To: users@httpd.apache.org; bstreet@clearsightnet.com Subject: RE: [users@httpd] Apache2 on Debian Brian- Your question depends on what you mean by "everything". If you're talking strictly about the directories that hold static files, it's fine that root owns it. Please note, however, that that it should be "world readable" or else the www-data user/group won't be able to even read it, and therefore won't be able to serve it out. On the other hand, if you are talking about file systems such as CGI directories (usually defined in the directive), permissions should be carefully planned and analyzed, as malicious users could do great damage to yours and other systems if these are improperly set. Finally, if you have other processes running that will need to access portions of your file system, you'll need to make sure that those UIDs have been added to the necessary group, or that the proper world-scoped permissions have been applied to the necessary parts of the file tree. Hope that helps! Kermit Short System Administrator CCN-DC-1 D-Div ph: 7-6360 pg: 4-5165 em: k_short@lanl.gov -----Original Message----- From: Brian Street [mailto:bstreet@clearsightnet.com] Sent: Monday, January 23, 2006 3:36 PM To: users@httpd.apache.org Subject: [users@httpd] Apache2 on Debian Hello everyone, I'm interested in whether or not people running Apache2 on Debian 3.1 create a separate user for the web directory (/var/www/xxx). The default install has root owning everything, but starting the web server as www-data. Thank you, Brian. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org