Re: Re: apache best practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jay Jesus Amorin wrote:

Hi,

Can anyone help me on apache best practice?

What is the recommended permission of the DocumentRoot?

What is the recommended permission on the files and directories within
the DocumentRoot?

BTW my application is running on LAMP.

Current permission settings:

600 for files
700 for directories


Will this not cause any problem to my LAMP application?


There was actually a recent thread about this here:
http://article.gmane.org/gmane.comp.apache.user/79053

(assuming the apache daemon is running as the user:group apache:apache)
For the document root, the strictest permissions would be ownership of root:apache and permissions of 710. This would allow the apache user directory listing access (required) but not regular users. For the files, follow the same guidelines (not owned by the apache user, except if apache specifically needs write access to the file). However, for files, something like 644 or 604 will be needed, as apache needs read access. The strictest permissions would be 640 with file ownership of root:apache. This would allow apache to read the files, not write to them, and also not allow normal users of the system to read the files. Keep in mind that by using the strictest permissions, updating the files on the site becomes a little bit of a chore.
A slightly less secure, but more sensible approach would be to make the files owned by apache:other_group with permissions 460. This would allow anyone within the "other_group" group to update the files while still allowing apache to read everything. The directory permissions could be owned by apache:other_group with permissions 560. As long as you only put people you trust in the group, you should be fine.
General rule of thumb for security: don't let the apache user have write access to files it doesn't need write access to. 

--
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux