Re: Apache 2.2.15 says You do not have permission to view [this file]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Because the apache server runs as a user called, say, 'www', any files which are owned by the user 'www' will be writable by any rogue php script, cgi file, whatever.

Since there is a HUGE amount of bad code out there, imagine if you download and install a product, and a bug is discovered in it. That application can then overwrite your website.

Let me tell you from experience, waking up in the morning and finding out that your website has been transformed into a militant extremist propaganda site is *VERY* upsetting.

So your first line of defense against this is to assure that *NO FILES* are owned by, or writable by, the apache user. There are, of course, exceptions to this - like when you *need* Apache to be able to write to a specific file or directory.


On Jul 29, 2010, at 1:06 PM, James Godrej wrote:

On 07/29/2010 01:06 AM, James Godrej wrote:
> You need to have the owner of your Document Root as your apache or
> www-data user not root.
James,

That is completely incorrect. You should NEVER chown the content to the 
same user apache httpd runs as. EVER.


Oh man an experienced sys admin told me to do it that way.
Please tell me what is wrong in this and where is this documented on Apache docs.
I want to read.


--
Rich Bowen



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux