Re: Web server files ownership?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> 
> Since Apache is running as system user 'apache' and system group
> 'apache', I thought it sensible that hosted files be owned by that process.
> 
> # ls -l /var/www/html/
> total 24
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 default
> drwxr-x---. 3 apache apache 4096  6 juil. 10:01 phpinfo
> drwxr-x---. 3 apache apache 4096  6 juil. 09:41 slackbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:37 slackbox-site
> drwxr-x---. 3 apache apache 4096  6 juil. 09:42 unixbox-mail
> drwxr-x---. 3 apache apache 4096  6 juil. 09:38 unixbox-site
> 
> Directories are all drwxr-x---, while files are -rw-r-----.
> 
> Now some guy on the french forum fr.centos.org told me that I got
> everything wrong, and that my setup is a security flaw, without
> elaborating any further though.

> So I thought I'd ask on this list (which is a little bit more urbane
> than the french forum).
> 
> 1. What is wrong with my setup ?

Possibly what he means is that having the files and directories
writeable by the process that the web server runs as is a security
issue. i.e. if there are any security issues with httpd, or the code
that runs on the sites, then without a privilege escalation the exploit
would run as the apache user, which means that the exploit can write to
those directories resulting at the least a defaced site or at worst the
upload of a more problematic exploit.

> 
> 2. What do you suggest ?

Have as few directories/files owned by the web server process as
possible. If you have an application that needs to write to a file or
upload to a directory, then they do need to be owned & writeable by
apache.

The files do need to be readable by the apache user, so the file
permissions are usually 644 (with directories 755) and owned by
root.root - although the actual owner doesn't matter so long as apache
can read the files. I suppose if you are really paranoid, then set the
owner to nobody.nobody

> 
> BTW, I don't mind to RTFM, even extensively.
> 

There's lots of pages out there about hardening Apache and what file
ownership and permissions the site should have. Everyone has their
opinion and the defaults for different distros varies. But the
underlying idea is that the web server files should not be owned by the
process that the web server runs as.

P.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux