Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 94476 invoked from network); 12 Dec 2007 14:14:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 12 Dec 2007 14:14:19 -0000 Received: (qmail 34234 invoked by uid 500); 12 Dec 2007 14:13:58 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 34221 invoked by uid 500); 12 Dec 2007 14:13:58 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 34210 invoked by uid 99); 12 Dec 2007 14:13:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Dec 2007 06:13:58 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=NORMAL_HTTP_TO_IP,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [169.235.16.23] (HELO mail.engr.ucr.edu) (169.235.16.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Dec 2007 14:14:00 +0000 Received: from mail.engr.ucr.edu (localhost [127.0.0.1]) by mail.engr.ucr.edu (Postfix) with ESMTP id 9C26422241B for ; Wed, 12 Dec 2007 06:13:26 -0800 (PST) Received: from storm.ee.ucr.edu (storm.ee.ucr.edu [169.235.16.44]) by mail.engr.ucr.edu (Postfix) with ESMTP id 61925222417 for ; Wed, 12 Dec 2007 06:13:26 -0800 (PST) Date: Wed, 12 Dec 2007 06:13:37 -0800 (PST) From: Hiep Nguyen To: Apache Users Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] security issue hi list, i installed apache on centos 5 and i have some questions regarding security for apache. i read security tips on http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea, but still need some advices from guru here. /etc/httpd/conf/httpd.conf: ServerRoot "/etc/httpd" User apache Group apache DocumentRoot "/var/www/html" as of now, /var/www/html/ belongs to root user & group. but i have couple developers here that need to upload files to this folder that i don't want to give out the root password. what should i change /var/www/html/ folder to? i also have a SSI folder (/var/www/html/includes) that i don't want any web user to have access to because these includes files contain user/password to mysql. for example, at the beginning of /var/www/html/index.php, i have: i try to prevent web user doing this: wget http://10.0.0.120/includes/global.php but at the same time allow apache server to access files in /var/www/html/inclues/ folder. any idea/suggestion. thank you, t. hiep --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org