httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: [users@httpd] Changing the User Which Runs Apache
Date Wed, 07 Aug 2013 23:36:26 GMT
Do not run Apache as yourself. If it (or any application it runs as a
module - like PHP if you use mod_php) is compromised, it will be able to
modify your personal files.
Most people run apache as www-data (or similar) in a dedicated directory.

Check out how the default configuration of apache works on Debian/Ubuntu.
They run as the user www-data and have the correct permissions set on the
/var/www folder.

If you add yourself to the www-data group, you may need to log out and log
in again for it to take effect.



On Wed, Aug 7, 2013 at 3:31 PM, Noah Duffy <noahduffy@fastmail.fm> wrote:

> I've tinkered with running a website using Apache on Linux for a few
> years now, but in my earlier days, I was a little naive and didn't pay
> too much attention to permissions.
>
> Now that I'd like to host a very small site on a home server, I'm trying
> to take security seriously. I know I could easily use GoDaddy hosting,
> but this will pretty much be a static page blog that I'm sure no one
> will ever visit anyway. Also, it gives me the opportunity to learn.
>
> In the past, I've always configured my virtual host to use a folder in
> my home directory. I've read that this is better practice, and it's
> always been easier than changing permissions for /var/www, but one
> problem with this is that the www-data user does not have permission to
> this folder.
>
> I've been experimenting the last couple of days with giving ownership of
> /var/www to www-data and adding myself to the www-data group, but I've
> had a few hiccups (I'm sure I'm not doing everything correctly).
>
> I've decided an easier route would be to keep the root web directory in
> my home folder, but change the user that runs Apache to myself. I've
> done some searching to see if this is recommended against, but really
> haven't been able to find too much about the issue in general.
>
> Is this something that anyone else does on a public server? There won't
> be anything hosted on it that would concern me security wise, but it's
> always nice to know things are as secure as I can make them.
>
> Thanks in advance!
>
> --
> Noah Duffy
> noahduffy@fastmail.fm
>
> ASCII ribbon campaign ( )
>  against HTML e-mail!  X
>                       / \
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message