httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karel Kubat <>
Subject Re: [users@httpd] security issue
Date Wed, 12 Dec 2007 14:41:30 GMT
Hash: SHA1

Hi Hiep,

On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:

> i installed apache on centos 5 and i have some questions regarding  
> security for apache.  i read security tips on http:// 
> and get the idea,  
> but still need some advices from guru here.
> /etc/httpd/conf/httpd.conf:
> ServerRoot "/etc/httpd"
> User apache
> Group apache
> DocumentRoot "/var/www/html"
> as of now, /var/www/html/ belongs to root user & group.

Make this apache:apache, it fits better with the User/Group  
specifiers above.

> but i have couple developers here that need to upload files to this  
> folder that i don't want to give out the root password.  what  
> should i change /var/www/html/ folder to?

Use apache:apache if you think that all developers are  
trustworthy ;-) Definitely not root:root. When you make the ownership  
change, verify that apache:apache may indeed read /var/www/html/.

> i also have a SSI folder (/var/www/html/includes) that i don't want  
> any web user to have access to because these includes files contain  
> user/password to mysql.
> for example, at the beginning of /var/www/html/index.php, i have:
> <?
> include_once('/var/www/html/includes/global.php');
> include_once('/var/www/html/includes/connect.php');
> ?>

PHP includes this way locally, from the file system. There is no need  
to park these files in the docroot tree. E.g., stick them in /var/www/ 
includes/, outside of /var/www/html. Then use include_once('/var/www/ 

> i try to prevent web user doing this:
> wget
> but at the same time allow apache server to access files in /var/ 
> www/html/inclues/ folder.

Definitely a good idea ;-)
See above..
    Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1)
    From the collection of Wise Quotes:
    "I'm not into working out. My philosophy: No
    pain, no pain." - Carol Leifer

Version: GnuPG v1.4.6 (Darwin)


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message