File Permissions

[Dotan Cohen]

On 20/02/07, Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
> > Why would you not want apache to own the files? I have a server that
> > is in a sandbox which works fine when files are owned by apache. The
> > permissions are set to 644.
>
> Sure, it'll read them fine, like that.  But if there happens to be an
> exploit in the server, or a script that is accessed through the server,
> then it can re-write the files (potentially, maliciously).  If they're
> owned by something else, it can't do so.
>
> > Doesn't apache serve the files but the viewer of the file is
> > requesting the files with different permissions?
>
> We have three basic permission groups:  Owner, a group, and other.  As
> far as HTTP serving is concerned, it's "other" people accessing the
> files.  Those permissions apply to them, they should only get read
> access.
>
> Of course this means some work is involved in writing new files to the
> webserver.  One can make the HTML directory owned by the author, if you
> trust them not to make mistakes.  You can create user-owned
> sub-directories in it.  You can create files in your homespace, and
> serve them from there, or copy them to the HTML directory.  Probably a
> sensible solution is to make a new webauthors group, and let them own
> the HTML directory with rwx permissions.
>
> --
> (This PC runs FC4, my others FC5 & FC6, in case that's important
>  to the thread)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>

I've got rootDirectory as /home/user/public_html/, not /var/www.
Apache is in the group user. I've got group permission as read only.
This way, I can log in as user and modify the files, but apache can
only read them. Does anybody see anything dangereous here? I figured
that this was the safest way to do it.

Dotan Cohen

http://lyricslist.com/lyrics/artist_albums/314/ll_cool_j.html
http://dagot.com