httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karel Kubat <ka...@e-tunity.com>
Subject Re: [users@httpd] security issue
Date Wed, 12 Dec 2007 14:41:30 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hiep,

On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:

> i installed apache on centos 5 and i have some questions regarding  
> security for apache.  i read security tips on http:// 
> httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,  
> but still need some advices from guru here.
>
> /etc/httpd/conf/httpd.conf:
> ServerRoot "/etc/httpd"
> User apache
> Group apache
> DocumentRoot "/var/www/html"
>
> as of now, /var/www/html/ belongs to root user & group.

Make this apache:apache, it fits better with the User/Group  
specifiers above.

> but i have couple developers here that need to upload files to this  
> folder that i don't want to give out the root password.  what  
> should i change /var/www/html/ folder to?

Use apache:apache if you think that all developers are  
trustworthy ;-) Definitely not root:root. When you make the ownership  
change, verify that apache:apache may indeed read /var/www/html/.

> i also have a SSI folder (/var/www/html/includes) that i don't want  
> any web user to have access to because these includes files contain  
> user/password to mysql.
> for example, at the beginning of /var/www/html/index.php, i have:
> <?
> include_once('/var/www/html/includes/global.php');
> include_once('/var/www/html/includes/connect.php');
> ?>

PHP includes this way locally, from the file system. There is no need  
to park these files in the docroot tree. E.g., stick them in /var/www/ 
includes/, outside of /var/www/html. Then use include_once('/var/www/ 
includes/global.php').

> i try to prevent web user doing this:
> wget http://10.0.0.120/includes/global.php
> but at the same time allow apache server to access files in /var/ 
> www/html/inclues/ folder.

Definitely a good idea ;-)
See above..
HTH,
    --
    Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1)
    From the collection of Wise Quotes:
    "I'm not into working out. My philosophy: No
    pain, no pain." - Carol Leifer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFHX/Ma23FrzRzybNURAuoUAJ9Oe+myyzOTcwXTgT2qfoe+lury+ACgmKXZ
r8ZP+UpEyz5jPZAtYknFN2A=
=SPCk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message