Am 14.09.2013 20:40, schrieb Matthew J. Roth: > Reindl Harald wrote: >> >> www-data is *debian* because on Redhat the user/groups is named "apache" >> if you use google add your distribution to the search string! > > Please explain how the specific user Apache is running as is relevant "chown www-data" and "chgrp www-data" will not work on Redhat > Is it only an indicator of the distribution the example is based on? it si simple: the same command may have differnt params on different distributions see above > If so, are you saying that distributions without SELinux support cannot securely > allow Apache to write files within DocumentRoot. it's not a matter of the distribution set permissions wise and only allow the apache user write access where it is really needed teh document root is *not* such a place temp/cache folders of a web-application are >> besides that there a *two* levels to care: FS-permissions *and* SELinux >> >> chown apache:apache /path/to/folder/ >> chmod 770 /path/to/folder/ >> >> http://david-latham.blogspot.co.at/2008/08/allow-httpd-apache-to-write-to-files.html > > Are you saying to all Apache write access, but to use SELinux to limit the > directories and files it can update? That sounds reasonable to me, but I get the > impression that Tim had something else in mind from his very specific statement i say not more and not less that you can set filesystem permissions to whatever you want if the SELinux context doe snot allow it SELinux is a *additional* security subsystem in the best case *any* available permission system denies *anything* which is not needed for normal operations and if you need to allow whatever you need to do this for all possible involved subsystems - from security point of view it's easy. if one of the subsystems fails or is configuerd unsafe like "chmod -R 777" the other one makes this mindless acting less critical in doubt there is not "this or that is better", in doubt you want as much security layers as possible: iptables, mod_security, filesystem perms and as last resort SELInux - they are finally adaptive and depending on whatever a bad guy try to do on a server different layers may stop him, in the best case the first and finally the last ressort the goal is making attacks as hard as possible because a attacker needs to trick around all the secuity layers and may seek a easier target if it takes too much time/energy to bypass all of them
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org