httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Platt - Platt Consultants" <GregPl...@ix.netcom.com>
Subject RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Date Wed, 03 Sep 2008 17:44:19 GMT
Your points are all excellent, Justin and very clearly stated too. Frankly,
they're almost exactly the same conclusions I came to on my own. I could see
no reason why Apache should (or would) give a damn about the location of
DocumentRoot or who owns it... ESPECIALLY when they let the user change
DocumentRoot for each virtual host if he wants.

Yet, someone I respect had suggested otherwise and later when I discovered
ISPConfig makes similar assumptions about user and group names and location
for web directories, I thought perhaps I had overlooked something. Thanks
for confirming what I concluded to begin with. It helps me feel I wasn't so
stupid after all. ;)

Also, I want to thank Eric Covener, Jo Yao and Lester Caine who also offered
helpful (and confirming) responses to my question.

Have a GREAT day, guys!

Best Professional Regards,
Greg Platt

-----Original Message-----
From: Justin Pasher [mailto:justinp@newmediagateway.com] 
Sent: Tuesday, September 02, 2008 3:07 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?

Greg Platt - Platt Consultants wrote:
> Yes, I realize the DocumentRoot location can be changed. Indeed I've
already
> changed it with the sites I converted earlier. What I came here hoping to
> find is someone who understands WHY it was changed by Apache to begin with
> and who could explain the implications of changing it in a different
way...
> especially since on Debian I can change it from one virtual host to
another.
> Frankly, I haven't found anything yet that says there were technological
or
> security reasons why Apache made this change. Not even their documentation
> suggests such reasons exist. If the answer is there ARE no specific
reasons
> for the change, I'm inclined to ignore it and go with what I already have
> working. 
>   

In regards strictly to technological or security reason for putting the 
DocumentRoot under /var/www, /home/www, or any other directory you like, 
there are none. The "default" location for this directory is ultimately 
up to the end user. Different Linux distributions will use different 
default directories. It's all a matter of what the file/directory name 
standard is for that distro. The same goes for the user account used to 
run the daemon (www-data for Debian, apache for RedHat based, I believe, 
etc).

The security of the directory is only determined by YOU (i.e. how secure 
you MAKE it). The apache user (whether it be apache, www-data, nobody, 
or any other system user) simply needs execute access on the 
DocumentRoot directory (and all parent directories) and read permission 
on the files it will be serving. The files themselves do not need to be 
owned by the apache user, nor do they need write access, unless you 
specifically want this (e.g. a script that allows the user to upload a 
file and it's stored in a directory under DocumentRoot). In fact, it can 
potentially be a security risk if the files allow the apache user write 
access (what happens if someone hacks a script and it attempts to modify 
a file on the website?).

In general, I find it best to simply follow the naming conventions of 
the distro (you can use symlinks if needed to make it easier for 
transitioning). This allows someone that is familiar with that distro to 
come in and not be surprised by a completely different file structure.


Justin Pasher


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message