On Mon, 7 Nov 2005, JC wrote:
> by default, /var/www/html/ folder is under user/group root. Is it a
> good idea to change this to apache user/group? I'm trying to set up
> web server box using CentOS 4.2. Any idea how this change can
> effect the system and php programming? Any pros & cons for this
> change???
If the apache user owns the /var/www/html tree, then any httpd process
can write into that file space. That's probably not at all what you
want unless you're running Apache with extremely tight access controls
and wire-level crypto.
There are occasions when the apache user needs to be able to write to
files -- wikis and webdav are good examples -- but usually the
directories available to those processes are clearly identified.
Having the apache group own the tree is subtly different. On a
multi-user system, giving the apache group read access to
/var/www/html and then running "chmod -R o-rwx" against that tree can
prevent unauthorized local users from poking around the web tree and
potentially bypassing Apache's access controls.
> Any security risk to have /var/www/html/ folder under user/group
> root?
None per se, though you probably don't want to have to provide sudo
access just for people to publish web pages. Typically, I think,
different user groups are given write-access to different parts
of the /var/www/html tree so they can maintain their content.
Also, if you're actively running SELinux, you'll need to pay attention
to the security-context attributes of files/directories you create.
Do "ls -Z" to see what's up.
--
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com