Ethan> however one thing you should do on a debian system is chown Ethan> /var/www to root and make sure its not group writable. also Ethan> chown /var/log/apache/* to root.adm and make sure the Ethan> permissions are 640 or 644. (you have to fix the apache cron Ethan> jobs to not undo this change)
Ethan> for some insane reason debian leaves the www-root owned by Ethan> www-data.www-data (the same user debian runs apache as) along Ethan> with the logs. this is totally wrong as the web server user Ethan> should NOT own files or have any write permission to anything. Ethan> if it does then all it takes is one of those unprivileged child Ethan> processes to be exploited and your web site can be replaced and Ethan> your logs can be removed. bad bad bad. As for the document tree, I largely agree. But as for the logs, don't the child servers need to write them, almost by definition? -- Ian Zimmerman, Oakland, California, U.S.A. In his own soul a man bears the source from which he draws all his sorrows and his joys. Sophocles.
