Olaf Mueller wrote:
> Filipe Brandenburger wrote:
>
>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt
>> <ralph.angenendt@xxxxxxxxx> wrote:
>>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>>>> I remember having setup some web servers on Debian, and the
>>>> tradition was that everything under /var/www/html (as in this
>>>> example) was to be owned by user www-data and group www-data.
>>>>
>>>> What's the "tradition" with RHEL/CentOS?
>>> apache:apache - at least that is the UID/GID the webserver runs
>>> under.
>> That's wrong. If your files are owned by Apache, any user that can
>> break into your server through Apache will be able to change those
>> files (i.e., deface your website).
> Why wrong? Concerning webdav, how would you get write acces for users to
> write to directories?
>
> Now I am a little bit confused, is your answer under
> http://www.linux-archive.org/centos/354005-webdav-centos.html also
> wrong now? You recommended apache:apache for webdav there.
Webdav resources typically need write access.
> By the way, if someone breaks into your server through Apache,
> apache:apache is your lowest problem, that's my opinion.
It is a fairly high risk if you run server-side code (php, perl, etc)
for anything. It lets the intruder write where apache is allowed to
write. That doesn't have to be anywhere unless you permit uploads.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
