------------ Original Message ------------
> Date: Friday, August 28, 2015 07:40:43 +0200
> From: Luigi Rosa <lists@xxxxxxxxxxxxx>
>
> Tim Dunphy wrote on 28/08/2015 00:18:
>
>> And made sure that the document root setup in the vhost for the
>> site I'm serving has permissions for the apache user. Yet some
>> of the files are throwing a 404 error in a browser even tho they
>> are clearly present and accounted for on the file system.
>
> Put
>
> CheckSpelling on
> CheckCaseOnly on
>
> in vhost or Apache configuration
>
> You have to enable mod_speling in
> /etc/httpd/conf.modules.d/00-base.conf
Please show relevant httpd error_log entries. What is displayed to
the client is never as useful as the real thing.
Separately, your documentroot directory and file ownerships are a
security risk:
> -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
/var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
> And all those files have the correct ownership for apache:
> [root@aozwsls00019la apache2]# egrep -i "user|group"
conf/httpd.conf
> User daemon
> Group daemon
Directories and files under the documentroot need to be accessible
to the httpd process, but should never be owned or writable by it.
If they are owned/writable by the httpd process and someone breaks
through (either a bug in httpd (apache) or more likely code/scripts
you are running) then the attacker can do as they wish with the
documentroot contents - including (but not limited to) defacing your
site.
Also, "daemon" is an odd user to be running your httpd as. The
default is generally "apache". On my centos-5 and -6 servers (what
centos release are you running here?) "daemon" is a member of the
group "bin", which escalates potential security issues.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
