File Permissions
Dotan Cohen
dotancohen at gmail.com
Tue Feb 20 14:03:30 UTC 2007
On 20/02/07, Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
> > Why would you not want apache to own the files? I have a server that
> > is in a sandbox which works fine when files are owned by apache. The
> > permissions are set to 644.
>
> Sure, it'll read them fine, like that. But if there happens to be an
> exploit in the server, or a script that is accessed through the server,
> then it can re-write the files (potentially, maliciously). If they're
> owned by something else, it can't do so.
>
> > Doesn't apache serve the files but the viewer of the file is
> > requesting the files with different permissions?
>
> We have three basic permission groups: Owner, a group, and other. As
> far as HTTP serving is concerned, it's "other" people accessing the
> files. Those permissions apply to them, they should only get read
> access.
>
> Of course this means some work is involved in writing new files to the
> webserver. One can make the HTML directory owned by the author, if you
> trust them not to make mistakes. You can create user-owned
> sub-directories in it. You can create files in your homespace, and
> serve them from there, or copy them to the HTML directory. Probably a
> sensible solution is to make a new webauthors group, and let them own
> the HTML directory with rwx permissions.
>
> --
> (This PC runs FC4, my others FC5 & FC6, in case that's important
> to the thread)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>
I've got rootDirectory as /home/user/public_html/, not /var/www.
Apache is in the group user. I've got group permission as read only.
This way, I can log in as user and modify the files, but apache can
only read them. Does anybody see anything dangereous here? I figured
that this was the safest way to do it.
Dotan Cohen
http://lyricslist.com/lyrics/artist_albums/314/ll_cool_j.html
http://dagot.com
More information about the users
mailing list