httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neil A. Hillard" <>
Subject Re: [users@httpd] security issue
Date Wed, 12 Dec 2007 14:50:10 GMT

Karel Kubat wrote:
> Hi Hiep,
> On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
>> i installed apache on centos 5 and i have some questions regarding
>> security for apache.  i read security tips on
>> and get the
>> idea, but still need some advices from guru here.
>> /etc/httpd/conf/httpd.conf:
>> ServerRoot "/etc/httpd"
>> User apache
>> Group apache
>> DocumentRoot "/var/www/html"
>> as of now, /var/www/html/ belongs to root user & group.
> Make this apache:apache, it fits better with the User/Group specifiers
> above.

That's got to be a seriously bad move.  Doing that will allow the user
that the web server is running as write access to the document root.
Someone posted earlier on the list about creating a group, etc. which
would seem a much better way of handling things.

>> but i have couple developers here that need to upload files to this
>> folder that i don't want to give out the root password.  what should i
>> change /var/www/html/ folder to?
> Use apache:apache if you think that all developers are trustworthy ;-)
> Definitely not root:root. When you make the ownership change, verify
> that apache:apache may indeed read /var/www/html/.

See above.  How are you suggesting the developers upload files?  By
adding them to the apache group?  Please see a previous post for a much
better solution.



Neil Hillard          

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message