httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] Unable to set up virtual hosts on Mac
Date Tue, 22 Mar 2016 10:23:12 GMT
On Tue, Mar 22, 2016 at 10:06 AM, Roparzh Hemon <roparzhhemon@gmail.com> wrote:
> On Tue, Mar 22, 2016 at 9:56 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>> It's usually not a good idea to have the HTTP server own (and be able
>> to write to) the files/directory it serves.
>>
>> So you should probably make httpd run as its own User/Group, and make
>> the DocumentRoot (and below) owned by an administrative user (the one
>> able to update the content), giving only access/read rigths to the
>> httpd group (or user, usually as "others").
>
>    I don't really understand what you mean by "the HTTP server owns
> the files it serves". The HTTP server is not a user, is it ?

I mean httpd will run as (have the rights of) the configured
User:Group, just like any logged-in local user.
If a remote client (say malicious) is able to take control of the
server or application by exploiting a vulnerabilty, (s)he could do
anything on the local system with the rights of the server, including
modify anything owned by the configured User (e.g. the content of the
site...)

I suspect that the directory "/Users/myusernamehere/Sites/strawberry"
(and files/directories under it) is owned by "myusernamehere:staff",
so given the httpd configuration you pasted above this could be the
same as the server.

> How
> should I change my httpd.conf to reflect the improvements you suggest
> ?

On the httpd side, it would simply be:
   User httpd
   Group httpd
or "apache:apache", "nobody:nogroup", whatever (provided it's not
shared with any other server/user).

On the system side, it depends on who is going to update the Sites.
Will there be a single Sites directory (hence a single "webmaster") or
each user will have its own Sites directory (hence as much
"webmasters")?

I will only talk about the former (easier) case for now...

First I'd put the Sites directory outside of any $HOME directory,
otherwise you'll have to take special action on that directory for the
only purpose of the inner httpd DocumentRoot.

Let's say the webmaster is "root" (you configured httpd on port 80, so
you must be root already to start it) and the DocumentRoot is
"/Library/WebServer/Documents" (the one of the system after all, why
not use it?).

Then you could:
# mv /Users/myusernamehere/Sites /Library/WebServer/Documents/
# chown -R root:root /Library/WebServer/Documents/Sites
# find /Library/WebServer/Documents/Sites/ -type d -exec chmod 755 {} \;'
# find /Library/WebServer/Documents/Sites/ -type f -exec chmod go-w {} \;
(I'm used to Linux, so this may not work on your system, just an example)

But you could replace "root" with "myusernamehere" if you are the
webmaster, just don't mix servers' tree with your ($HOME) tree, IMHO.

Now httpd can access/read anything in
"/Library/WebServer/Documents/Sites/" and hence will work, but it
won't be able to write there or anywhere (it does not need to in usual
cases).

Hope this helps..

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message