Greg Platt - Platt Consultants wrote:
Yes, I realize the DocumentRoot location can be changed. Indeed I've already changed it with the sites I converted earlier. What I came here hoping to find is someone who understands WHY it was changed by Apache to begin with and who could explain the implications of changing it in a different way... especially since on Debian I can change it from one virtual host to another. Frankly, I haven't found anything yet that says there were technological or security reasons why Apache made this change. Not even their documentation suggests such reasons exist. If the answer is there ARE no specific reasons for the change, I'm inclined to ignore it and go with what I already haveworking.
In regards strictly to technological or security reason for putting the DocumentRoot under /var/www, /home/www, or any other directory you like, there are none. The "default" location for this directory is ultimately up to the end user. Different Linux distributions will use different default directories. It's all a matter of what the file/directory name standard is for that distro. The same goes for the user account used to run the daemon (www-data for Debian, apache for RedHat based, I believe, etc).
The security of the directory is only determined by YOU (i.e. how secure you MAKE it). The apache user (whether it be apache, www-data, nobody, or any other system user) simply needs execute access on the DocumentRoot directory (and all parent directories) and read permission on the files it will be serving. The files themselves do not need to be owned by the apache user, nor do they need write access, unless you specifically want this (e.g. a script that allows the user to upload a file and it's stored in a directory under DocumentRoot). In fact, it can potentially be a security risk if the files allow the apache user write access (what happens if someone hacks a script and it attempts to modify a file on the website?).
In general, I find it best to simply follow the naming conventions of the distro (you can use symlinks if needed to make it easier for transitioning). This allows someone that is familiar with that distro to come in and not be surprised by a completely different file structure.
Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|