Hi, I'm currently setting up a simple web server. So far, everything (PHP, MySQL) works very well, but I admit I never gave security that much thought. Time to change that habit. First things first. The RHEL Deployment Guide lists Apache's configuration directives alphabetically. Instead of going through them from A to Z, I'll try to start with what seems more important, and then advance step by step. User apache Group apache As far as I understand, I have to chown all my web content accordingly, so that everything below /var/www/html belongs to apache:apache. Right? cheers, Niki
On Jan 29, 2008 11:25 AM, Niki Kovacs <contact at kikinovak.net> wrote:> As far as I understand, I have to chown all my web content accordingly, > so that everything below /var/www/html belongs to apache:apache. Right?You can, but but I would only recommend doing that where the webserver itself will be responsible for changing files. If apache owns everything in that directory, then it can modify them. This can potentially be undesirable. Depending on what you're doing, you'll have to mix and match permissions as needed. Mostly apache just needs to be able to read stuff, so having root own it with 644 is fine. If you're using a CMS which allows folks to edit things via the webserver, then those will have to be owned by apache, or apache will otherwise need rights to modify them. Have I made that muddled and complex enough? -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
On Tue, Jan 29, 2008 at 11:25 AM, Niki Kovacs <contact at kikinovak.net> wrote:> Hi, > > I'm currently setting up a simple web server. So far, everything (PHP, > MySQL) works very well, but I admit I never gave security that much > thought. Time to change that habit. > > First things first. The RHEL Deployment Guide lists Apache's > configuration directives alphabetically. Instead of going through them > from A to Z, I'll try to start with what seems more important, and then > advance step by step. > > User apache > Group apache > > As far as I understand, I have to chown all my web content accordingly, > so that everything below /var/www/html belongs to apache:apache. Right? > > cheers, > NikiApache needs to be able to read web files, but in most cases it should NOT own them. If it owns them, there is a potential for the apache server process to change them, which you don't want. If someone were to compromise the apache server, they would be able to embed whatever they want into the web page files. There are some cases when you might want apache to be able to write to files, but those are less frequent, so you should only change those specific files to apache ownership, or change the group permissions to allow writing from the group, and add apache to that group.