On 07/30/2010 03:13 AM, Sander Temme wrote:
James,
The Apache HTTP Server needs read access to its configuration files and the
files it serves. In and of itself, the server does not need write access
anywhere on the system: even its log files are opened for write when the server
is still root, and the open file descriptors passed to the child processes
which change their user id to the lesser privileged user.
Read access only. The web server user should not own, or be able to write to,
its configuration files or content.
Content, other than CGI scripts, generally does not need Execute permissions.
Even PHP files that are interpreted by the server do not need to be Executable.
Certain applications, especially publishing platforms and Content Management
Systems that you manage and populate through the web server itself using a
browser, require that certain directories on the system be made writable by the
web server user. You can do this by changing the owner of the directory to
that user (usually www but ymmv), or by making the directory group-writable and
changing the group to the group as which Apache runs.
Making directories writable by the web server should be done only with care and
consideration. The usual threat model is that someone manages to upload (for
instance) a PHP script of their own making into the document root, and simply
executes that by accessing it through a browser. Now someone is executing code
on your machine. Google for 'r57' for an example of what such code can do.
If a web app needs writable directories, it's often better to have those
outside the DocumentRoot: that way the uploads can't be accessed from the
outside through a direct URL. Some applications (Wordpress for instance)
support this, others do not.
In many cases, writable directories are not strictly necessary even though the
web app might like them: rather than upload plugins (which contain code that
gets executed or interpreted, yech!) through the web browser, upload them
through ssh and manually unpack them on the server. The CMS Joomla! likes to
write its configuration file to the Document Root on initial install (which
promptly becomes a popular attack target) but if it can't write to the Document
Root, it will output the config to the browser to the user can manually upload
it.
Hope this helps.
S.
On Jul 29, 2010, at 5:35 PM, James Godrej wrote:
This I understand.
But then do other users not need read write permissions.
There is hardly any thing given on this page
http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
You mentioned ServerRoot not be chowned to Apache.
But if not then to what should it be and there is nothing about Document Root
to be chowned ?
Who should own the Document Root there are many applications I download from
internet in their README pages it says
to chown those directories to apache.
Otherwise it never worked.
What should I do in this situation?
From: Eric Covener<cove...@gmail.com>
To: users@httpd.apache.org
Sent: Thu, 29 July, 2010 10:45:53 PM
Subject: Re: [us...@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Oh man an experienced sys admin told me to do it that way.
Please tell me what is wrong in this and where is this documented on Apache
docs.
I want to read.
This is a general principle -- don't grant more access than necessary.
Apache doesn't need to own files to be able to serve (read) them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
Sander,
May I borrow excerpts from your response for a wiki article? We answer
those questions over and over, and I would very much like to link to a
complete response instead.
Thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
