> -----Original Message-----
> From: Hiep Nguyen [mailto:hiep@xxxxxxxxxx]
> Sent: Wednesday, March 05, 2008 4:52 PM
> To: Apache Users
> Cc: centos@xxxxxxxxxx
> Subject: permission on /var/www & /var/www/html
>
> hi all,
>
> assume apache runs under apache user/group and i have a
> user/group name
> "weber". i use "weber" user to upload files via ftp/sftp.
>
> where should i place my include files so that no one can
> access except
> apache b/c these files contained user/pw for mysql.
I assume you mean files that are included by httpd.conf - ie, they
contain apache config directives...
>
> i usually place them in /var/www/html/includes, but people
> can access to
> this folder, so i'm thinking place them in /var/www/includes.
I assume by "access" you mean access via HTTP - not that they can login
and read them with vi...
>
> what should the permission for /var/www/html and
> /var/www/inclues/? what
> group should these two directories belong to???
If /var/www/includes contains config data then it needs only to be
readable by apache. It also has to have write permission for the user
that edits the file (probably apache too) so just making the dir owned
by apache and with default permissions should do it. Eg:
ls -ld /var/www/includes
drwxr-xr-x 13 apache apache 4096 Mar 5 17:12 /var/www/includes
^
apache can edit it
NB Assuming your docroot is /var/www/html, web users cannot access this
dir sice it is above the docroot. However, anyone logging in via a shell
can still read it. If you want to block this too, remove the read
permission for "others", Eg:
chmod o-r,o-x /var/www/includes
ls -ld /var/www/includes
drwxr-x--- 13 apache apache 4096 Mar 5 17:12 /var/www/includes
^
others can't read it
If /var/www/html contains the content of your site then apache only
needs to be able to read it. The user that edits the content (weber?)
also needs write permission. Simplest thing is to make it owned by weber
with default permissions. Eg:
ls -ld /var/www/html
drwxr-xr-x 13 weber weber 4096 Mar 5 17:12 /var/www/html
^
apache can read it
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> thanks,
> t. hiep
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|