installiing joomla

Matthew J. Roth mroth at imminc.com
Sat Sep 14 17:10:08 UTC 2013 

Tim wrote:
> 
> You should NOT change ownership of /var/www/http to Apache, never do
> that.  That's a VERY BAD THING!!!!!!  Anyone who advises you to do that
> is not to be trusted (whether it's because they're being malicious, or
> simply that they don't know what they're talking about).  That allows
> anything that can access the webserver to be able to write to those
> files.  That's a major security risk.  I you do not understand this,
> then stop, and learn about it before continuing to do anything else.
> Seriously!  Stop, and do more research.  I cannot emphasise it enough.
> ...
> The Apache webserver accesses files as the apache user, so on a properly
> set up system, it only has read-only access to files, as the "other"
> user.  By default, the www directory is owned by root, so that whoever
> is going to edit the files has to have sufficient authority to be able
> to write there, or change permissions/ownership so that they can write
> there in their own name (rather than root).
> 
> For those things that need write access to the files (such as web
> blogging where the author will add to the blog by writing through the
> webserver, or a plethora of other web services), then some other method
> must be used than chowning them to apache.


Tim,

Please share some acceptable methods of allowing Apache to write files within
DocumentRoot.  Searching Google for "Apache write within DocumentRoot" yields a
lot of results that recommend giving Apache write access.  For example, the
canonical answer about file permissions on a Linux web server at Server Fault¹
says:

  If you have folders that need to be writable by Apache, you can just modify
  the permission values for the group owner so that www-data has write access.
  
    chmod g+w uploads
    ls -l
    drwxrws--- 2 eve      www-data   4096 Feb  5 22:52 uploads

and:

  If you have folders that need to be writable by Apache, you can make Apache
  either the user owner or the group owner. Either way, it will have all the
  access it needs. Personally, I prefer to make it the user owner so that the
  developers can still browse and modify the contents of upload folders.
  
    chown -R www-data uploads
    ls -l
    drwxrwxr-x 2 www-data     dev-fabrikam   4096 Feb  5 22:52 uploads

and:

  If you have folders that need to be writable by Apache, you can just modify
  the permission values for the user owner so that www-data has write access.
  
    chmod u+w uploads
    ls -l
    drwxrwx--- 2 www-data  dev-fabrikam   4096 Feb  5 22:52 fabrikam.com

¹ http://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website

Thank you,

Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer

More information about the users mailing list