File Permissions

[Jim Cornette]

Tim wrote:
> On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
>> Why would you not want apache to own the files? I have a server that
>> is in a sandbox which works fine when files are owned by apache. The 
>> permissions are set to 644.
> 
> Sure, it'll read them fine, like that.  But if there happens to be an
> exploit in the server, or a script that is accessed through the server,
> then it can re-write the files (potentially, maliciously).  If they're
> owned by something else, it can't do so.

Thanks Tim and replies-listsa1z2-rh !

I might experiment with changing the owner to something else. Before I 
changed the file permissions to apache, I could not get the files to 
even display without an access error.

The website I have is just used on a network which only I am the only 
user for running tests. Funny I know for the purpose of a website to 
serve many users.


> 
>> Doesn't apache serve the files but the viewer of the file is
>> requesting the files with different permissions?
> 
> We have three basic permission groups:  Owner, a group, and other.  As
> far as HTTP serving is concerned, it's "other" people accessing the
> files.  Those permissions apply to them, they should only get read
> access.

I could not read the files served up by apache, testing tomorrow.

> 
> Of course this means some work is involved in writing new files to the
> webserver.  One can make the HTML directory owned by the author, if you
> trust them not to make mistakes.  You can create user-owned
> sub-directories in it.  You can create files in your homespace, and
> serve them from there, or copy them to the HTML directory.  Probably a
> sensible solution is to make a new webauthors group, and let them own
> the HTML directory with rwx permissions.

I'll have to investigate further on this. I could not write to the 
server when apache owned the files.

Isn't apache limited on what it can access, even more than a regular user?

Jim