Hi,
is it ok to give full permission to regular users in "/var/www/html" directory? or is this the way how it should be?
I am new to managing the apache server. Currently I am learning the PHP which requires that I should be able to write in "/var/www/html" directory to check my code and modify it. Right now I have given full permission to all users in this directory so that I can have full control over it.
My question is about security...what if this server is serving online? Is it secure to do this? I have tried apache's online documentation too but it doesn't say anything about this stuff (more on server configurations and others).
Thanks
On 8/5/06, Deepak Shrestha d88pak@gmail.com wrote:
Hi,
is it ok to give full permission to regular users in "/var/www/html" directory? or is this the way how it should be?
I am new to managing the apache server. Currently I am learning the PHP which requires that I should be able to write in "/var/www/html" directory to check my code and modify it. Right now I have given full permission to all users in this directory so that I can have full control over it.
My question is about security...what if this server is serving online? Is it secure to do this? I have tried apache's online documentation too but it doesn't say anything about this stuff (more on server configurations and others).
Thanks
--
hey,
You should not give full permissions to the users on /var/www/html directory but you should give whatever rights to the users on the directory which you have created under /var/www/html for example testing
By default permissions on html directory is below that means all the users have the read and execute permission on the html directory drwxr-xr-x 24 root root 4096 Jul 31 18:06 html
Now if you want to give the users permissions on testing directory under /var/www/html directory then whatever permissions are necessary for your software you give
like read for all but write only for the owner
drwxr--r--
or read & execute for all the users
drwxr-xr-x change the group of the directory to apache so that there should not be any problem in executing the software through web.
Regards
Ankush Grover
On Sat, 2006-08-05 at 13:55 +0800, Deepak Shrestha wrote:
Hi,
is it ok to give full permission to regular users in "/var/www/html" directory? or is this the way how it should be?
I am new to managing the apache server. Currently I am learning the PHP which requires that I should be able to write in "/var/www/html" directory to check my code and modify it. Right now I have given full permission to all users in this directory so that I can have full control over it.
My question is about security...what if this server is serving online? Is it secure to do this? I have tried apache's online documentation too but it doesn't say anything about this stuff (more on server configurations and others).
You might consider checking out the UserDir directive in the httpd.conf file (disabled by default), which would enable your users to host pages (including PHP) in their ~/public_html directory and access them via http://server.name/~username/
That would avoid the need to open up /var/www/html.
Paul.
On Sat, 2006-08-05 at 11:01 +0100, Paul Howarth wrote:
You might consider checking out the UserDir directive in the httpd.conf file (disabled by default), which would enable your users to host pages (including PHP) in their ~/public_html directory and access them via http://server.name/~username/
That would avoid the need to open up /var/www/html.
Confused, what about ownership?? I thought it had to be apache:apache according to the docs? Just getting mine up as well and I really need to know. I have no users on my machine, just html to the web. Ric
Ric Moore schrieb:
On Sat, 2006-08-05 at 11:01 +0100, Paul Howarth wrote:
You might consider checking out the UserDir directive in the httpd.conf file (disabled by default), which would enable your users to host pages (including PHP) in their ~/public_html directory and access them via http://server.name/~username/
That would avoid the need to open up /var/www/html.
Confused, what about ownership?? I thought it had to be apache:apache according to the docs? Just getting mine up as well and I really need to know. I have no users on my machine, just html to the web. Ric
Imagine there is somewhere a security issue with Apache, PHP, Perl or a web application: if /var/www/html (and maybe even below) would be owned apache:apache an attacker could easily deface or in other way manipulate the web content. That is not good. Generally the user as which Apache (httpd) runs does not have needs to be able to write/delete webcontent. In limited cases there must be specific space for Apache to store data. Then such specific directories need apache ownership / groupownership.
Alexander
Thanks for all the suggestions but I am bit confused here. May be I should have asked the question in different way. In general what I wanted to know is, how the root will give permission to group of web developers (supposing PHP developers) in "/var/www/html" directory so that they can read/write/modify the contents. In formal words, what is the best practices for this? Do web developers do their jobs in other machine than the one which is hosting web, then root will pour the content after the job is finished???
I am asking this because it is possible to directly edit the web contents in windows machines (supposing using IIS, dreamweaver).
In linux I guess the question is more on the ownership of ceratin directory (who own what and how secure when its live in the web??)
You might consider checking out the UserDir directive in the httpd.conf file (disabled by default), which would enable your users to host pages (including PHP) in their ~/public_html directory and access them via http://server.name/~username/
That would avoid the need to open up /var/www/html.
this option is ok but this is not what I exactly want. What if group of developers are developing a main website instead of hosting their personal pages from their home dierectory?
Thanks and good day!
On Sat, 2006-08-05 at 22:02 +0800, Deepak Shrestha wrote:
Thanks for all the suggestions but I am bit confused here. May be I should have asked the question in different way. In general what I wanted to know is, how the root will give permission to group of web developers (supposing PHP developers) in "/var/www/html" directory so that they can read/write/modify the contents. In formal words, what is the best practices for this? Do web developers do their jobs in other machine than the one which is hosting web, then root will pour the content after the job is finished???
I am asking this because it is possible to directly edit the web contents in windows machines (supposing using IIS, dreamweaver).
In linux I guess the question is more on the ownership of ceratin directory (who own what and how secure when its live in the web??)
You might consider checking out the UserDir directive in the httpd.conf file (disabled by default), which would enable your users to host pages (including PHP) in their ~/public_html directory and access them via http://server.name/~username/
That would avoid the need to open up /var/www/html.
this option is ok but this is not what I exactly want. What if group of developers are developing a main website instead of hosting their personal pages from their home dierectory?
Well this is a different issue really than what you originally posted about, which was that you were learning PHP.
Two approaches you might consider would be:
1. Create a user account for your web data to be held under, change the ownership of /var/www/html to that user, and have your web designers use that account name and password when uploading their files from their windows machines to your web server. This is a fairly simple approach but it's difficult to tell who wrote which files.
2. Create a group account for your web data to be held under, and make each of your web designers' accounts a member of that group. Change the group ownership of /var/www/html to that group, and make it group writable. Make sure that whichever means you use to upload files to this area (e.g. FTP server) has an appropriate umask setting so that it writes files with the group write permission set. Each file uploaded will then be owned by the person that initially uploaded it, but can be overwritten by any other member of the group.
Paul.
Two approaches you might consider would be:
- Create a user account for your web data to be held under, change the
ownership of /var/www/html to that user, and have your web designers use that account name and password when uploading their files from their windows machines to your web server. This is a fairly simple approach but it's difficult to tell who wrote which files.
- Create a group account for your web data to be held under, and make
each of your web designers' accounts a member of that group. Change the group ownership of /var/www/html to that group, and make it group writable. Make sure that whichever means you use to upload files to this area (e.g. FTP server) has an appropriate umask setting so that it writes files with the group write permission set. Each file uploaded will then be owned by the person that initially uploaded it, but can be overwritten by any other member of the group.
Paul.
Thanks paul, this is what exactly I wanted to know.
Thanks again
Deepak Shrestha wrote:
Thanks for all the suggestions but I am bit confused here. May be I should have asked the question in different way. In general what I wanted to know is, how the root will give permission to group of web developers (supposing PHP developers) in "/var/www/html" directory so that they can read/write/modify the contents. In formal words, what is the best practices for this? Do web developers do their jobs in other machine than the one which is hosting web, then root will pour the content after the job is finished???
I am asking this because it is possible to directly edit the web contents in windows machines (supposing using IIS, dreamweaver).
In linux I guess the question is more on the ownership of ceratin directory (who own what and how secure when its live in the web??)
The best practice would be for web developers to do their development on another machine (or in a different virtual host / directory on the same machine). When code is ready to be released, it's "published" from the test system to the live system. It would be a good idea to throw something like subversion into the mix for source code control.
In this scenario, all users of your web developer group have read/write access to the test area, but only a few people have rights to write into the live system's web directory tree.
The best practice would be for web developers to do their development on another machine (or in a different virtual host / directory on the same machine). When code is ready to be released, it's "published" from the test system to the live system. It would be a good idea to throw something like subversion into the mix for source code control.
In this scenario, all users of your web developer group have read/write access to the test area, but only a few people have rights to write into the live system's web directory tree.
I guess virtual host will do the thing for me right now. Thanks for the idea.
On Sat, 2006-08-05 at 09:02, Deepak Shrestha wrote:
Thanks for all the suggestions but I am bit confused here. May be I should have asked the question in different way. In general what I wanted to know is, how the root will give permission to group of web developers (supposing PHP developers) in "/var/www/html" directory so that they can read/write/modify the contents. In formal words, what is the best practices for this? Do web developers do their jobs in other machine than the one which is hosting web, then root will pour the content after the job is finished???
I am asking this because it is possible to directly edit the web contents in windows machines (supposing using IIS, dreamweaver).
In linux I guess the question is more on the ownership of ceratin directory (who own what and how secure when its live in the web??)
There are other considerations, especially if there multiple developers. One is how to test changes before putting them into productions, and another is how to revert to a working version if (when...) errors slip through the testing. If one person is doing everything he'll probably be the one that has to fix it, but if you have a team, one member's change may break something and not be obvious to the person that sees the resulting problem or is supposed to fix it.
One approach is to let everyone work in their own workspace, using a version control system like subversion or CVS to integrate the changes and a test server that can be updated from the version control system. A number of ways can be used to copy from the test site to production. If both are virtual servers on the same box you might just copy the files - or update to the same tag from the version control system. If there are multiple servers or they are remote, you might want to use a scripted rsync command to push the update out. In any case you want a way to restore an earlier working version keeping in mind that you might push several versions before someone notices the part that doesn't work. An underlying version control system gives you that, along with the ability to see what changes had been made and who made them.
On Sat, 2006-08-05 at 09:10 -0400, Ric Moore wrote:
Confused, what about ownership?? I thought it had to be apache:apache according to the docs? Just getting mine up as well and I really need to know. I have no users on my machine, just html to the web.
Which docs suggest that?
For what it's worth, it's conventional for Apache to serve out documents that have world-readable permissions (the "other" user), since it's usually not going to be known users reading something on a world wide web server. As such, it doesn't matter who owns the files being read, but ownership is important for authoring purposes (authors do need write access to their own files), and security reasons (the server shouldn't, generally, have write access).
-
Alexander Dalloz -
Ankush Grover -
Deepak -
Les Mikesell -
Paul Howarth -
Ric Moore -
SternData -
Tim