CentOS - Sep 2009 - Simple web server with Apache: web page permissions ?

Hi,

I'm currently sinking my teeth into the fine "Definitive Guide to 
CentOS". Right now I'm reading the chapter about Apache. One thing 
puzzles me: no mention is made of web page permissions.

Let's say I'm using Apache's default configuration for setting up
the
most simple no-frills web server, e. g. no virtual hosts, only a series 
of static HTML pages in /var/www/html.

Q: what permissions should I define for these pages?

I remember having setup some web servers on Debian, and the tradition 
was that everything under /var/www/html (as in this example) was to be 
owned by user www-data and group www-data.

What's the "tradition" with RHEL/CentOS?

Cheers,

Niki

On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
> I remember having setup some web servers on Debian, and the tradition 
> was that everything under /var/www/html (as in this example) was to be 
> owned by user www-data and group www-data.
> 
> What's the "tradition" with RHEL/CentOS?
apache:apache - at least that is the UID/GID the webserver runs under. 

Ralph

On Tue, Sep 15, 2009 at 4:20 AM, Niki Kovacs <contact at kikinovak.net>
wrote:
> Hi,
> Q: what permissions should I define for these pages?
I'd say, the most restrictive permissions possible, that still allow
your web application to function. I'm a bit more security
conscious/paranoid than most though.

There are an array of things to consider when you're asking about this
sort of thing.
1. Is it a simple server where the person setting things up has the
keys to the castle everywhere, or do you have a 'web group' who can
only deposit pages, but have no other additional privileges and no
root access?

2. Are you hosting static content or dynamic pages?
> I remember having setup some web servers on Debian, and the tradition
> was that everything under /var/www/html (as in this example) was to be
> owned by user www-data and group www-data.
>
> What's the "tradition" with RHEL/CentOS?
The default in centos is root ownership, with read privs so the web
server running as apache can hand them out. This is fine for static
content in a basic setup. Some content management systems require that
the web server be able to create files, in which case Ralph's
recommendation of apache:apache ownership is correct.  The downside to
this is that if someone compromises that software through a php
exploit or bad code, they can make changes since they're operating as
the apache user.

I would suggest that you mix the two ideologies as much as possible.
Have root own everything that doesn't change, and display it with 644
permissions. Then let the apache user own the dynamic content areas.

The whole idea is to assume that at some point, someone *is* going to
get in, and you need to plan to minimize the impact when they do. By
planning things out in this way, you can keep your system much more
secure, and prevent nearly all break-ins before they occur.


-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell