Your points are all excellent, Justin and very clearly stated too. Frankly, they're almost exactly the same conclusions I came to on my own. I could see no reason why Apache should (or would) give a damn about the location of DocumentRoot or who owns it... ESPECIALLY when they let the user change DocumentRoot for each virtual host if he wants. Yet, someone I respect had suggested otherwise and later when I discovered ISPConfig makes similar assumptions about user and group names and location for web directories, I thought perhaps I had overlooked something. Thanks for confirming what I concluded to begin with. It helps me feel I wasn't so stupid after all. ;) Also, I want to thank Eric Covener, Jo Yao and Lester Caine who also offered helpful (and confirming) responses to my question. Have a GREAT day, guys! Best Professional Regards, Greg Platt -----Original Message----- From: Justin Pasher [mailto:justinp@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, September 02, 2008 3:07 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: Why do I need /var/www as DocumentRoot & www-data as www owner? Greg Platt - Platt Consultants wrote: > Yes, I realize the DocumentRoot location can be changed. Indeed I've already > changed it with the sites I converted earlier. What I came here hoping to > find is someone who understands WHY it was changed by Apache to begin with > and who could explain the implications of changing it in a different way... > especially since on Debian I can change it from one virtual host to another. > Frankly, I haven't found anything yet that says there were technological or > security reasons why Apache made this change. Not even their documentation > suggests such reasons exist. If the answer is there ARE no specific reasons > for the change, I'm inclined to ignore it and go with what I already have > working. > In regards strictly to technological or security reason for putting the DocumentRoot under /var/www, /home/www, or any other directory you like, there are none. The "default" location for this directory is ultimately up to the end user. Different Linux distributions will use different default directories. It's all a matter of what the file/directory name standard is for that distro. The same goes for the user account used to run the daemon (www-data for Debian, apache for RedHat based, I believe, etc). The security of the directory is only determined by YOU (i.e. how secure you MAKE it). The apache user (whether it be apache, www-data, nobody, or any other system user) simply needs execute access on the DocumentRoot directory (and all parent directories) and read permission on the files it will be serving. The files themselves do not need to be owned by the apache user, nor do they need write access, unless you specifically want this (e.g. a script that allows the user to upload a file and it's stored in a directory under DocumentRoot). In fact, it can potentially be a security risk if the files allow the apache user write access (what happens if someone hacks a script and it attempts to modify a file on the website?). In general, I find it best to simply follow the naming conventions of the distro (you can use symlinks if needed to make it easier for transitioning). This allows someone that is familiar with that distro to come in and not be surprised by a completely different file structure. Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|