Re: Read-only DocumentRoot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----- "PENIN Guillaume (SNCF Voyages/Direction des Operations SI)" <Guillaume.PENIN@xxxxxxx> wrote:

> Hi,
> 
> Many of our application teams ask us to mount the Apache DocumentRoot
> FileSystem in Read-only mode for security reasons. In your opinion,
> does
> this have any kind of interest ?

Mounting the FS read-only might become inconvinient. But you definately
should not allow the webserver user to have write access to the documentroot

That is, unless your application requires uploads. Then it should 
happen in a controlled directory. i.e.: One that doesn't have
CGI or anything else executable (Options None, SetHandler none),
no .htaccesss allowed (AllowOverride None).

> Regards,
> 
> Guillaume PENIN
> -------
> Ce message et toutes les piÃces jointes sont Ãtablis à l'intention
> exclusive de ses destinataires et sont confidentiels. L'intÃgrità de
> ce message n'Ãtant pas assurÃe sur Internet, la SNCF ne peut Ãtre
> tenue responsable des altÃrations qui pourraient se produire sur son
> contenu. Toute publication, utilisation, reproduction, ou diffusion,
> mÃme partielle, non autorisÃe prÃalablement par la SNCF, est
> strictement interdite. Si vous n'Ãtes pas le destinataire de ce
> message, merci d'en avertir immÃdiatement l'expÃditeur et de le
> dÃtruire.
> -------
> This message and any attachments are intended solely for the
> addressees and are confidential. SNCF may not be held responsible for
> their contents whose accuracy and completeness cannot be guaranteed
> over the Internet. Unauthorized use, disclosure, distribution,
> copying, or any part thereof is strictly prohibited. If you are not
> the intended recipient of this message, please notify the sender
> immediately and delete it.

i

-- 
Igor GaliÄ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux