Rick Stevens wrote:
> 
> 
> Both trees (the ServerRoot and all of the DocumentRoots) have to be
> readable by the user that Apache runs as. Absolutely NO part of the
> ServerRoot should be _writable_ by the Apache user. It should only be
> writable by administrative personnel (root, people in the "wheel"
> group, etc.).


Rick,

Thank you for the clear and informative post.  I just have one small
correction to make.  Apache reads its configuration files as root
before switching to the unprivileged user and group that it will
answer requests as.

This can be used to increase security by allowing passwords or other
private information to be set as Apache environment variables in files
that are only readable by root¹.  Applications can then access the
private information (e.g. via the $_SERVER array in PHP) without
containing its actual value.  Access to the environment variables can
be controlled by Apache directives (e.g. SetEnvIf) and/or using
virtual hosts.

¹ 
http://www.brianhare.com/wordpress/2011/02/18/hiding-mysql-passwords-in-php-using-apache-environment-variables/

Regards,

Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to