Tim wrote:
>
> You should NOT change ownership of /var/www/http to Apache, never do
> that. That's a VERY BAD THING!!!!!! Anyone who advises you to do that
> is not to be trusted (whether it's because they're being malicious, or
> simply that they don't know what they're talking about). That allows
> anything that can access the webserver to be able to write to those
> files. That's a major security risk. I you do not understand this,
> then stop, and learn about it before continuing to do anything else.
> Seriously! Stop, and do more research. I cannot emphasise it enough.
> ...
> The Apache webserver accesses files as the apache user, so on a properly
> set up system, it only has read-only access to files, as the "other"
> user. By default, the www directory is owned by root, so that whoever
> is going to edit the files has to have sufficient authority to be able
> to write there, or change permissions/ownership so that they can write
> there in their own name (rather than root).
>
> For those things that need write access to the files (such as web
> blogging where the author will add to the blog by writing through the
> webserver, or a plethora of other web services), then some other method
> must be used than chowning them to apache.
Tim,
Please share some acceptable methods of allowing Apache to write files within
DocumentRoot. Searching Google for "Apache write within DocumentRoot" yields a
lot of results that recommend giving Apache write access. For example, the
canonical answer about file permissions on a Linux web server at Server Fault¹
says:
If you have folders that need to be writable by Apache, you can just modify
the permission values for the group owner so that www-data has write access.
chmod g+w uploads
ls -l
drwxrws--- 2 eve www-data 4096 Feb 5 22:52 uploads
and:
If you have folders that need to be writable by Apache, you can make Apache
either the user owner or the group owner. Either way, it will have all the
access it needs. Personally, I prefer to make it the user owner so that the
developers can still browse and modify the contents of upload folders.
chown -R www-data uploads
ls -l
drwxrwxr-x 2 www-data dev-fabrikam 4096 Feb 5 22:52 uploads
and:
If you have folders that need to be writable by Apache, you can just modify
the permission values for the user owner so that www-data has write access.
chmod u+w uploads
ls -l
drwxrwx--- 2 www-data dev-fabrikam 4096 Feb 5 22:52 fabrikam.com
¹ http://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website
Thank you,
Matthew Roth
InterMedia Marketing Solutions
Software Engineer and Systems Developer
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
