On Wed, 12 Dec 2007, Karel Kubat wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Hiep, On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:i installed apache on centos 5 and i have some questions regarding security for apache. i read security tips on http://httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea, but still need some advices from guru here./etc/httpd/conf/httpd.conf: ServerRoot "/etc/httpd" User apache Group apache DocumentRoot "/var/www/html" as of now, /var/www/html/ belongs to root user & group.Make this apache:apache, it fits better with the User/Group specifiers above.
is there any security risk by changing /var/www/html/ to apache:apache? how are the developers upload/download files?should i create a user/group and let all of them use this user to upload/download files?
but i have couple developers here that need to upload files to this folder that i don't want to give out the root password. what should i change /var/www/html/ folder to?Use apache:apache if you think that all developers are trustworthy ;-) Definitely not root:root. When you make the ownership change, verify that apache:apache may indeed read /var/www/html/.
how do i verify this?
i also have a SSI folder (/var/www/html/includes) that i don't want any web user to have access to because these includes files contain user/password to mysql.for example, at the beginning of /var/www/html/index.php, i have: <? include_once('/var/www/html/includes/global.php'); include_once('/var/www/html/includes/connect.php'); ?>PHP includes this way locally, from the file system. There is no need to park these files in the docroot tree. E.g., stick them in /var/www/includes/, outside of /var/www/html. Then use include_once('/var/www/includes/global.php').i try to prevent web user doing this: wget http://10.0.0.120/includes/global.phpbut at the same time allow apache server to access files in /var/www/html/inclues/ folder.Definitely a good idea ;-) See above.. HTH, -- Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1) From the collection of Wise Quotes: "I'm not into working out. My philosophy: No pain, no pain." - Carol Leifer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFHX/Ma23FrzRzybNURAuoUAJ9Oe+myyzOTcwXTgT2qfoe+lury+ACgmKXZ r8ZP+UpEyz5jPZAtYknFN2A= =SPCk -----END PGP SIGNATURE----- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|