Re: apache docroot permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, May 4, 2011 at 7:38 PM, Gordon Messmer <yinyang@xxxxxxxxx> wrote:
On 05/04/2011 12:49 PM, Johan Martinez wrote:
> Thanks for the suggestions Richard and Kenneth. I installed drupal here
> and it requires user running apache to have write access on filesystem.
> Otherwise it complains: 'The directory sites/default/files is not
> writable'. The content editors/developers need write access to
> theme/pictures folders. So it seems like I can't avoid giving write
> access to apache user. Any hacks or tips here?

Tip 1:
Your files and directories can have different permissions.  Rather than
your original setup, try:

chown -R apache:contenteditors /var/www/html
find /var/www/html -type f -exec chmod 0464 {} +
find /var/www/html -type d -exec chmod 2575 {} +

or:

chown -R apache:apache /var/www/html
find /var/www/html -type f -exec setfacl -m g:contenteditors:rw {} +
find /var/www/html -type d -exec setfacl -m g:contenteditors:rwx {} +

Tip 2:
Don't install drupal in /var/www/html.  Generally, /var/www/html should
be used only for static content.  Web applications should be installed
outside the document root to prevent a misconfiguration from allowing
remote clients from downloading files that might contain configurations,
passwords, or other sensitive information.  See the rpm packaged drupal
for an example of how this is done.

Tip 3:
If your application says that it needs write access to
"sites/default/files", then add write access only for that directory.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


Thanks for the suggestions everyone. I am using following config for now. 

* Moved drupal install outside document root and used alias for the namespace mapping. 
* Filesystem ownership: apache:contenteditors
* Filesystem permissions: u=rx, g=rwx, group with sticky bit set. Exception of 'sites/default/files' on which apache has write permissions. 

jM
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux