httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard <lists-apa...@listmail.innovate.net>
Subject Re: [users@httpd] Apache permissions stabs new Linux user in face with icepick. Suggestions?
Date Thu, 10 Mar 2016 12:59:35 GMT

> Date: Thursday, March 10, 2016 12:24:23 +0000
> From: Lester Caine <lester@lsces.co.uk>
>
> On 10/03/16 01:40, Francis Roy wrote:
>> This is a new install of Linux Mint 17.x with the default
>> Apache/2.4.7 (Ubuntu) install at /etc/apache2
>> My websites, plain html and PHP are kept on a different hard-drive.
>> /media/username/Terrabyte/00_Server/htdocs
> 
> Francis ...
> Since security on Linux is a high priority, many of the default
> actions are set up with that in mind.
> When Apache is installed it uses it's own user and group and if the
> demo site is also created this is owned by that. I think Ubuntu uses
> 'www-data' and 'www' so the tidy way of changing your setup is to
> 
> chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs

For security reasons, the documentroot directory and files, and other
server related directories/files (configuration, etc.) should never
be owned or writable by the user or group that the web server runs
under. As appropriate they need to be readable by the web server, but
never owned/writable by its user/group (www-data:www in this context).

The issue is that if the web server's user/group own/can write to the
those directories/files, if someone is able to break through the
server - either an issue with the server or more likely some poorly
written script - they will control those directories/files and be
able to deface the served content and perhaps more with ease, i.e.,
"own" what is served by your web server.

In general, the documentroot directories/files should be owned by
some unprivileged user and (only) readable by "other".

There may be times when it seems necessary to have the web server
have write access to the directories/files, e.g., for content
updates. In such cases, care needs to be given to how this is done to
ensure that security is maintained.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message