httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Godrej <jamesgod...@yahoo.in>
Subject Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Date Fri, 30 Jul 2010 13:40:29 GMT
Sander,
Thanks for such detailed reply.
I have seen on many forums and use groups people tell to 
chown apache:apache /var/www
or 
chown nobody:nobody /var/www
chown www-data:www-data /var/www

If some one is reading from the documentation team I will suggest include 
Sander's reply to the appropriate page.
This is what is needed to be known.

I have seen reply's on forums where people kept their Document Root in home 
directory and 
the similar problems which original poster posted in this thread
were solved on other forums by changing the permissions they way I said.
Thanks for the detailed reply.





________________________________
From: Sander Temme <sctemme@apache.org>
To: users@httpd.apache.org
Sent: Fri, 30 July, 2010 12:43:28 PM
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to  
view [this file]

James, 

The Apache HTTP Server needs read access to its configuration files and the 
files it serves.  In and of itself, the server does not need write access 
anywhere on the system: even its log files are opened for write when the server 
is still root, and the open file descriptors passed to the child processes which 
change their user id to the lesser privileged user.  


Read access only.  The web server user should not own, or be able to write to, 
its configuration files or content.  


Content, other than CGI scripts, generally does not need Execute permissions.  
Even PHP files that are interpreted by the server do not need to be Executable.  


Certain applications, especially publishing platforms and Content Management 
Systems that you manage and populate through the web server itself using a 
browser, require that certain directories on the system be made writable by the 
web server user.  You can do this by changing the owner of the directory to that 
user (usually www but ymmv), or by making the directory group-writable and 
changing the group to the group as which Apache runs. 


Making directories writable by the web server should be done only with care and 
consideration.  The usual threat model is that someone manages to upload (for 
instance) a PHP script of their own making into the document root, and simply 
executes that by accessing it through a browser.  Now someone is executing code 
on your machine.  Google for 'r57' for an example of what such code can do.  


If a web app needs writable directories, it's often better to have those outside 
the DocumentRoot: that way the uploads can't be accessed from the outside 
through a direct URL.  Some applications (Wordpress for instance) support this, 
others do not.  


In many cases, writable directories are not strictly necessary even though the 
web app might like them: rather than upload plugins (which contain code that 
gets executed or interpreted, yech!) through the web browser, upload them 
through ssh and manually unpack them on the server.  The CMS Joomla! likes to 
write its configuration file to the Document Root on initial install (which 
promptly becomes a popular attack target) but if it can't write to the Document 
Root, it will output the config to the browser to the user can manually upload 
it.  


Hope this helps.  

S.

On Jul 29, 2010, at 5:35 PM, James Godrej wrote:

> This I understand.
> But then do other users  not need read write permissions.
> There is hardly any thing given on this page
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
> You mentioned ServerRoot not be chowned to Apache.
> But if not then to what should it be and there is nothing about Document Root 
>to be chowned ?
> Who should own the Document Root there are many applications I download from 
>internet in their README pages it says 
>
> to chown those directories to apache.
> Otherwise it never worked.
> What should I do in this situation?
> 
> From: Eric Covener <covener@gmail.com>
> To: users@httpd.apache.org
> Sent: Thu, 29 July, 2010 10:45:53 PM
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to 
>view [this file]
> 
> > Oh man an experienced sys admin told me to do it that way.
> > Please tell me what is wrong in this and where is this documented on Apache
> > docs.
> > I want to read.
> 
> 
> This is a general principle -- don't grant more access than necessary.
> Apache doesn't need to own files to be able to serve (read) them.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "  from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 



-- 
Sander Temme
sctemme@apache.org
PGP FP: FC5A 6FC6 2E25 2DFD 8007  EE23 9BB8 63B0 F51B B88A





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message