File Permissions
Jim Cornette
fc-cornette at insight.rr.com
Wed Feb 21 01:14:46 UTC 2007
Tim wrote:
> On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
>> Why would you not want apache to own the files? I have a server that
>> is in a sandbox which works fine when files are owned by apache. The
>> permissions are set to 644.
>
> Sure, it'll read them fine, like that. But if there happens to be an
> exploit in the server, or a script that is accessed through the server,
> then it can re-write the files (potentially, maliciously). If they're
> owned by something else, it can't do so.
Thanks Tim and replies-listsa1z2-rh !
I might experiment with changing the owner to something else. Before I
changed the file permissions to apache, I could not get the files to
even display without an access error.
The website I have is just used on a network which only I am the only
user for running tests. Funny I know for the purpose of a website to
serve many users.
>
>> Doesn't apache serve the files but the viewer of the file is
>> requesting the files with different permissions?
>
> We have three basic permission groups: Owner, a group, and other. As
> far as HTTP serving is concerned, it's "other" people accessing the
> files. Those permissions apply to them, they should only get read
> access.
I could not read the files served up by apache, testing tomorrow.
>
> Of course this means some work is involved in writing new files to the
> webserver. One can make the HTML directory owned by the author, if you
> trust them not to make mistakes. You can create user-owned
> sub-directories in it. You can create files in your homespace, and
> serve them from there, or copy them to the HTML directory. Probably a
> sensible solution is to make a new webauthors group, and let them own
> the HTML directory with rwx permissions.
I'll have to investigate further on this. I could not write to the
server when apache owned the files.
Isn't apache limited on what it can access, even more than a regular user?
Jim
More information about the users
mailing list