On Tue, Sep 15, 2009 at 4:20 AM, Niki Kovacs <contact@xxxxxxxxxxxxx> wrote: > Hi, > Q: what permissions should I define for these pages? I'd say, the most restrictive permissions possible, that still allow your web application to function. I'm a bit more security conscious/paranoid than most though. There are an array of things to consider when you're asking about this sort of thing. 1. Is it a simple server where the person setting things up has the keys to the castle everywhere, or do you have a 'web group' who can only deposit pages, but have no other additional privileges and no root access? 2. Are you hosting static content or dynamic pages? > I remember having setup some web servers on Debian, and the tradition > was that everything under /var/www/html (as in this example) was to be > owned by user www-data and group www-data. > > What's the "tradition" with RHEL/CentOS? The default in centos is root ownership, with read privs so the web server running as apache can hand them out. This is fine for static content in a basic setup. Some content management systems require that the web server be able to create files, in which case Ralph's recommendation of apache:apache ownership is correct. The downside to this is that if someone compromises that software through a php exploit or bad code, they can make changes since they're operating as the apache user. I would suggest that you mix the two ideologies as much as possible. Have root own everything that doesn't change, and display it with 644 permissions. Then let the apache user own the dynamic content areas. The whole idea is to assume that at some point, someone *is* going to get in, and you need to plan to minimize the impact when they do. By planning things out in this way, you can keep your system much more secure, and prevent nearly all break-ins before they occur. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos