I have a group of users (content editors) who need read-write access to apache document root. The apache web server is running as user:apache and group:apache. The filesystem permissions are currently set as apache:apache. How should I modify filesystem permission so that content editors can have read-write permissions and webserver can serve files as well? Following is what I have setup now, but I am not sure whether it is a good configuration. I appreciate any comments or suggestions regarding this. <setup> chown -R apache:contenteditors /var/www/html chmod u=rx /var/www/html chmod g+w /var/www/html chmod g+s /var/www/html Add people editing web/html files to contenteditors group. <setup> thanks, jM. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110504/98de2264/attachment.html>
User apache only needs read access except under special conditions, such as a script that needs to store configuration in a file. And a lot of apps store their state in a DB so they don't need filesystem write access at all. Set the permissions as strict as possible, so that if an attacker finds a bug in apache, he does as little damage as possible.
On Wed, May 4, 2011 at 12:58 PM, Kenneth Porter <shiva at sewingwitch.com>wrote:> User apache only needs read access except under special conditions, such as > a script that needs to store configuration in a file. And a lot of apps > store their state in a DB so they don't need filesystem write access at > all. > > Set the permissions as strict as possible, so that if an attacker finds a > bug in apache, he does as little damage as possible. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Thanks for the suggestions Richard and Kenneth. I installed drupal here and it requires user running apache to have write access on filesystem. Otherwise it complains: 'The directory sites/default/files is not writable'. The content editors/developers need write access to theme/pictures folders. So it seems like I can't avoid giving write access to apache user. Any hacks or tips here? jM. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110504/f9d488c8/attachment.html>
Johan Martinez wrote on Wed, 4 May 2011 14:49:52 -0500:> Thanks for the suggestions Richard and Kenneth. I installed drupal here and > it requires user running apache to have write access on filesystem.Assuming you are running mod_php and safe_mode: that is probably because of PHP safe_mode. You didn't tell you were going to write to that area with drupal. That's a completely different picture then! You really have to give the complete picture. In PHP safe_mode you can: a) have all php files and the write area owned by apache b) have all php files owned by a user and the write area writable by apache but owned by the user (*) c) have all php files owned by the user, group-owned by apache and the write -area group-owned by apache and owned by the user and use safe_mode_gid instead of safe_mode. (*) this doesn't work if you create subdirectories because they get the wrong permissions and apache can't pass thru I think the most-used scenario is b). You will have to do some research to see what fits your setup best. (php.net/safe_mode). Also note that safe_mode is discouraged "officially" now since it isn't 100% reliable. However, I strongly advise using it if possible as long as it is available. Kai
On 05/04/2011 12:49 PM, Johan Martinez wrote:> Thanks for the suggestions Richard and Kenneth. I installed drupal here > and it requires user running apache to have write access on filesystem. > Otherwise it complains: 'The directory sites/default/files is not > writable'. The content editors/developers need write access to > theme/pictures folders. So it seems like I can't avoid giving write > access to apache user. Any hacks or tips here?Tip 1: Your files and directories can have different permissions. Rather than your original setup, try: chown -R apache:contenteditors /var/www/html find /var/www/html -type f -exec chmod 0464 {} + find /var/www/html -type d -exec chmod 2575 {} + or: chown -R apache:apache /var/www/html find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} + find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} + Tip 2: Don't install drupal in /var/www/html. Generally, /var/www/html should be used only for static content. Web applications should be installed outside the document root to prevent a misconfiguration from allowing remote clients from downloading files that might contain configurations, passwords, or other sensitive information. See the rpm packaged drupal for an example of how this is done. Tip 3: If your application says that it needs write access to "sites/default/files", then add write access only for that directory.