httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neil A. Hillard" <neil.hill...@agustawestland.com>
Subject Re: [users@httpd] security issue
Date Wed, 12 Dec 2007 14:50:10 GMT
Hi,

Karel Kubat wrote:
> Hi Hiep,
> 
> On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
> 
>> i installed apache on centos 5 and i have some questions regarding
>> security for apache.  i read security tips on
>> http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the
>> idea, but still need some advices from guru here.
> 
>> /etc/httpd/conf/httpd.conf:
>> ServerRoot "/etc/httpd"
>> User apache
>> Group apache
>> DocumentRoot "/var/www/html"
> 
>> as of now, /var/www/html/ belongs to root user & group.
> 
> Make this apache:apache, it fits better with the User/Group specifiers
> above.

That's got to be a seriously bad move.  Doing that will allow the user
that the web server is running as write access to the document root.
Someone posted earlier on the list about creating a group, etc. which
would seem a much better way of handling things.


>> but i have couple developers here that need to upload files to this
>> folder that i don't want to give out the root password.  what should i
>> change /var/www/html/ folder to?
> 
> Use apache:apache if you think that all developers are trustworthy ;-)
> Definitely not root:root. When you make the ownership change, verify
> that apache:apache may indeed read /var/www/html/.

See above.  How are you suggesting the developers upload files?  By
adding them to the apache group?  Please see a previous post for a much
better solution.


HTH,


				Neil.

-- 
Neil Hillard                    neil.hillard@agustawestland.com
AgustaWestland                  http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message