web file permissions (was: Working as root while Apache is running; how much a risk?)

[Alexander Dalloz]

Am Fr, den 09.07.2004 schrieb Jack Bowling um 19:19:

> Yes, this is heinous thread hijacking but it's at least tangentially related
> to the former subject. What are the thoughts on permissions, including ownership, for files and
> directories residing on a webserver? Should they all be apache, i.e., the same owner as the running
> process? Or would that just make it easier for the perp to change files if they managed to usurp the
> running process? Maybe a totally different unprivileged user?

Speaking about the main server with DocumentRoot /var/www/html it is ok
to have files and directories owned root:root, files chmod 644 and dirs
chmod 755. For some applications like phpMyAdmin or Horde/IMP I am using
chown root:apache.

> Myself, I make all my web files owned by nobody and the running process
> owned by apache. All static files have 0400 permissions. Directories must
> have 0755.

That can't work. If the files are owned by nobody and only readable by
nobody, then user apache can't read the files for web serving.

Directories don't have to have 0755. If owner and group are different
than the user under which the Apache daemon is running, then for
other/world +x is enough. As an example, you have running a UserDir
configuration then the home of the users have to be chmod 0711 so that
apache can access the files under ~/public_html.

> Jack Bowling

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435.2.3 
Serendipity 21:41:47 up 2 days, 3:50, load average: 0.16, 0.46, 0.48 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040709/3f7be32b/attachment-0002.bin