httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] apache access permission
Date Wed, 17 Oct 2012 13:33:39 GMT
On October 17, 2012 7:09 , jupiter <jupiter.hce@gmail.com> wrote:
> I installed httpd on CentOS 6.2, there is apache user name, but there
> is no apache home directory. I have php files which need to access an
> ssh key for ssh communication, but the ssh key is "-rw-------"
> permission which deny apache to access it. How do you handle apache
> access permission? Should I create an apache home directory to let
> apache write its data or access it s files to its home directory?

This has nothing to do with home directories, or lack of them.  A home 
directory is simply a place to store files.  However, you can store 
files anywhere and grant permissions appropriately.

Also, are you sure you have no home directory for the user "apache"?  On 
CentOS systems, if you check in the sixth field of the /etc/passwd entry 
for user "apache", you should see a home directory of /var/www

For the ssh key, it is important to keep it secure.  Anyone who gets 
this key can use it to log in to any system that trusts the key.  So it 
is best to have the key be single-purpose, used only for your PHP web 
application and not for anything else.  If the key already exists (that 
is, it was not created just for the use of this PHP web application) and 
is owned by another user, then that is not great and by letting the user 
"apache" read (a copy of) the key you may be doing something dangerous.

OpenSSH (/usr/sbin/ssh) will refuse to use a key if the permissions on 
either it or the directory it is in allow access for other users.  So 
rather than setting permissions on the current copy of the key (which 
from what you write above is owned by a different user than "apache") 
you'll probably want to make a copy of the key. If user "apache" has the 
home directory /var/www, then a natural place to put this copy is 
/var/www/.ssh/ (assuming your DocumentRoot directory is /var/www/html, 
it would be very bad if your DocumentRoot were /var/www for some reason, 
as you'd then be making your ssh key available to anyone who could 
access your web site).

If you want to use a ssh key that is stored somewhere else other than 
the user "apache" home directory, the "-i" option to ssh will allow you 
to do this.  See the ssh manual page for more information.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message