Reindl Harald wrote: > > it's not a matter of the distribution set permissions wise and only > allow the apache user write access where it is really needed > > teh document root is *not* such a place > temp/cache folders of a web-application are For clarification, can the temp/cache folders be subdirectories of the DocumentRoot or should Apache never be able to write any file it could potentially serve? > in the best case *any* available permission system denies *anything* which is > not needed for normal operations and if you need to allow whatever you need > to do this for all possible involved subsystems - from security point of view > it's easy. if one of the subsystems fails or is configuerd unsafe like > "chmod -R 777" the other one makes this mindless acting less critical > > in doubt there is not "this or that is better", in doubt you want as much > security layers as possible: iptables, mod_security, filesystem perms and > as last resort SELInux - they are finally adaptive and depending on whatever > a bad guy try to do on a server different layers may stop him, in the best > case the first and finally the last ressort In general, I understand layered security and the principle of least privilege. It's just that Tim's statements: If it's possible for Apache to write to the webspace, because it's foolishly owned by the apache user, your system is just ripe for being exploited. and: For those things that need write access to the files (such as web blogging where the author will add to the blog by writing through the webserver, or a plethora of other web services), then some other method must be used than chowning them to apache. leave me wondering what that "other method" would be. In other words, if a "plethora of other web services" require write access to the webspace then there must either be commonly used methods to securely provide that functionality or a plethora of systems that are "just ripe for being exploited". If it's the former, I want to know what those methods are. I appreciate all of your input and I'm really interested to see what Tim has to add. Thank you, Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
