httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: [users@httpd] permission problem
Date Fri, 21 Aug 2009 08:37:53 GMT
On Thu, 2009-08-20 at 22:02 -0400, Chuck Crisler wrote:
> I seem to have a permission problem with apache. I am running FC9 and
> apache 2.2.11, mod_perl 2.0.4 and perl/V5.10.0. I am trying to work with
> apache/perl/mason/mySQL but continually encounter permission failures.
> Apache runs under user/group apache/apache (specified in the httpd.conf
> file and verified using the ps command). The document root
> is /var/www/html, which is owned by root (I don't understand this, I
> would think it would be apache/apache).

If it was owned by user apache, then if the webserver were exploitable,
the attacker would be able to deface your website. If it is just
readable by apache, then they would need to exploit apache and then find
a local privilege escalation to do so.

>  My cgi-bin directory
> (/var/www/cgi-bin) was owned by root/root at first. I entered the env.pl
> script from example 1-5, pg 10 in the Practical mod-perl book. I saved
> the file to /var/www/cgi-bin, changed owner to apache, chmod 700,
> re-started apache and tried to access http://localhost/cgi-bin/env.pl
> and failed with a permission error. 

And what did the error log say about this error?

> I changed the cgi-bin directory to
> apache/apache (user/group) and the env.pl script also. I re-started
> apache. It still fails with a permission error. I suspect that if I
> changed the env.pl file to root/root then it would work, but I don't
> want to do that. I have had several other errors similar to this that I
> have worked around, but would really like to understand this permission
> thing and get it fixed once and for all.

You need to see why it failed. Look at your error log.

> 
> My system does have a user apache/apache, but there isn't a home
> directory.
> 
> How do most people configure a development server? I try to avoid using
> the root login for security reasons. However, all of the apache files
> are owned by root, so I maintain private versions of them and use sudo
> to copy changes back to the appropriate directory. I haven't figured out
> how to handle perl scripts that I enter.
> 
> All help is greatly appreciated.
> 
> Chuck Crisler
> 

They don't have to be owned by root, they just need to be readable by
apache and correctly configured. Your doc root, and all the files under
there, can be owned by your local user. You only need root privileges to
start/stop apache.

Cheers

Tom


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message