I have a site running drupal. The apache user therefore needs to be able to write certain files (CSS files for example). I also have a directory under my web root which is a SAN mount, to which apache must be able to write. What is the most secure way to implement this? I am thinking: chown -R root:apache /var/www/html chmod -R 0750 /var/www/html chown apache:apache for where need to write Is there a better way? S.
Stephen Nelson-Smith wrote:> I have a site running drupal. The apache user therefore needs to be > able to write certain files (CSS files for example). > > I also have a directory under my web root which is a SAN mount, to > which apache must be able to write. > > What is the most secure way to implement this? > > I am thinking: > > chown -R root:apache /var/www/html > chmod -R 0750 /var/www/html > chown apache:apache for where need to writeYes, use acl and selinux. -- Eero
Hi, On Fri, Nov 27, 2009 at 12:46 PM, Stephen Nelson-Smith <stephen at atalanta-systems.com> wrote:> I have a site running drupal. ?The apache user therefore needs to be > able to write certain files (CSS files for example). > > I also have a directory under my web root which is a SAN mount, to > which apache must be able to write. > > What is the most secure way to implement this? > > I am thinking: > > chown -R root:apache /var/www/html > chmod -R 0750 /var/www/html > chown apache:apache for where need to write > > Is there a better way?What is usually a good approach is to setup specific directories where Apache can write (like "files" or "images") and then disable PHP/other code execution from that directory. So if someone is able to hack your web app and upload something (malicious code) into that directory, it won't get executed. To put it briefly: keep your executable code and upload directories separate. Cheers, Peter
Hey On Fri, Nov 27, 2009 at 10:46 AM, Stephen Nelson-Smith <stephen at atalanta-systems.com> wrote:> I have a site running drupal. ?The apache user therefore needs to be > able to write certain files (CSS files for example). > > I also have a directory under my web root which is a SAN mount, to > which apache must be able to write. > > What is the most secure way to implement this? > > I am thinking: > > chown -R root:apache /var/www/html > chmod -R 0750 /var/www/html > chown apache:apache for where need to write > > Is there a better way?This might be an idea http://www.faqs.org/docs/securing/chap29sec254.html and this http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html of course disabling execution of files in your upload dir is really important. Cheers Didi -- My www page: www.ribalba.de Email / Jabber: ribalba at gmail.com Skype : ribalba