Sander,=0AThanks for such detailed reply.=0AI have seen on many forums and =
use groups people tell to =0Achown apache:apache /var/www=0Aor =0Achown nob=
ody:nobody /var/www=0Achown www-data:www-data /var/www=0A=0AIf some one is =
reading from the documentation team I will suggest include =0ASander's repl=
y to the appropriate page.=0AThis is what is needed to be known.=0A=0AI hav=
e seen reply's on forums where people kept their Document Root in home =0Ad=
irectory and =0Athe similar problems which original poster posted in this t=
hread=0Awere solved on other forums by changing the permissions they way I =
said.=0AThanks for the detailed reply.=0A=0A=0A=0A=0A=0A___________________=
_____________=0AFrom: Sander Temme <sctemme@apache.org>=0ATo: users@httpd.a=
pache.org=0ASent: Fri, 30 July, 2010 12:43:28 PM=0ASubject: Re: [users@http=
d] Apache 2.2.15 says You do not have permission to =0Aview [this file]=0A=
=0AJames, =0A=0AThe Apache HTTP Server needs read access to its configurati=
on files and the =0Afiles it serves. In and of itself, the server does not=
need write access =0Aanywhere on the system: even its log files are opened=
for write when the server =0Ais still root, and the open file descriptors =
passed to the child processes which =0Achange their user id to the lesser p=
rivileged user. =0A=0A=0ARead access only. The web server user should not=
own, or be able to write to, =0Aits configuration files or content. =0A=
=0A=0AContent, other than CGI scripts, generally does not need Execute perm=
issions. =0AEven PHP files that are interpreted by the server do not need =
to be Executable. =0A=0A=0ACertain applications, especially publishing pla=
tforms and Content Management =0ASystems that you manage and populate throu=
gh the web server itself using a =0Abrowser, require that certain directori=
es on the system be made writable by the =0Aweb server user. You can do th=
is by changing the owner of the directory to that =0Auser (usually www but =
ymmv), or by making the directory group-writable and =0Achanging the group =
to the group as which Apache runs. =0A=0A=0AMaking directories writable by =
the web server should be done only with care and =0Aconsideration. The usu=
al threat model is that someone manages to upload (for =0Ainstance) a PHP s=
cript of their own making into the document root, and simply =0Aexecutes th=
at by accessing it through a browser. Now someone is executing code =0Aon =
your machine. Google for 'r57' for an example of what such code can do. =
=0A=0A=0AIf a web app needs writable directories, it's often better to have=
those outside =0Athe DocumentRoot: that way the uploads can't be accessed =
from the outside =0Athrough a direct URL. Some applications (Wordpress for=
instance) support this, =0Aothers do not. =0A=0A=0AIn many cases, writabl=
e directories are not strictly necessary even though the =0Aweb app might l=
ike them: rather than upload plugins (which contain code that =0Agets execu=
ted or interpreted, yech!) through the web browser, upload them =0Athrough =
ssh and manually unpack them on the server. The CMS Joomla! likes to =0Awr=
ite its configuration file to the Document Root on initial install (which =
=0Apromptly becomes a popular attack target) but if it can't write to the D=
ocument =0ARoot, it will output the config to the browser to the user can m=
anually upload =0Ait. =0A=0A=0AHope this helps. =0A=0AS.=0A=0AOn Jul 29, =
2010, at 5:35 PM, James Godrej wrote:=0A=0A> This I understand.=0A> But the=
n do other users not need read write permissions.=0A> There is hardly any =
thing given on this page=0A> http://httpd.apache.org/docs/trunk/misc/securi=
ty_tips.html#serverroot=0A> You mentioned ServerRoot not be chowned to Apac=
he.=0A> But if not then to what should it be and there is nothing about Doc=
ument Root =0A>to be chowned ?=0A> Who should own the Document Root there a=
re many applications I download from =0A>internet in their README pages it =
says =0A>=0A> to chown those directories to apache.=0A> Otherwise it never =
worked.=0A> What should I do in this situation?=0A> =0A> From: Eric Covener=
<covener@gmail.com>=0A> To: users@httpd.apache.org=0A> Sent: Thu, 29 July,=
2010 10:45:53 PM=0A> Subject: Re: [users@httpd] Apache 2.2.15 says You do =
not have permission to =0A>view [this file]=0A> =0A> > Oh man an experience=
d sys admin told me to do it that way.=0A> > Please tell me what is wrong i=
n this and where is this documented on Apache=0A> > docs.=0A> > I want to r=
ead.=0A> =0A> =0A> This is a general principle -- don't grant more access t=
han necessary.=0A> Apache doesn't need to own files to be able to serve (re=
ad) them.=0A> =0A> --------------------------------------------------------=
-------------=0A> The official User-To-User support forum of the Apache HTT=
P Server Project.=0A> See <URL:http://httpd.apache.org/userslist.html> for =
more info.=0A> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org=
=0A> " from the digest: users-digest-unsubscribe@httpd.apache.org=0A> Fo=
r additional commands, e-mail: users-help@httpd.apache.org=0A> =0A> =0A> =
=0A=0A=0A=0A-- =0ASander Temme=0Asctemme@apache.org=0APGP FP: FC5A 6FC6 2E2=
5 2DFD 8007 EE23 9BB8 63B0 F51B B88A=0A=0A=0A=0A=0A=0A--------------------=
-------------------------------------------------=0AThe official User-To-Us=
er support forum of the Apache HTTP Server Project.=0ASee <URL:http://httpd=
.apache.org/userslist.html> for more info.=0ATo unsubscribe, e-mail: users-=
unsubscribe@httpd.apache.org=0A " from the digest: users-digest-unsubsc=
ribe@httpd.apache.org=0AFor additional commands, e-mail: users-help@httpd.a=
pache.org=0A=0A
|