Re: Simple web server with Apache: web page permissions ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Olaf Mueller wrote:
> Filipe Brandenburger wrote:
> 
>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt
>> <ralph.angenendt@xxxxxxxxx> wrote:
>>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>>>> I remember having setup some web servers on Debian, and the
>>>> tradition was that everything under /var/www/html (as in this
>>>> example) was to be owned by user www-data and group www-data.
>>>>
>>>> What's the "tradition" with RHEL/CentOS?
>>> apache:apache - at least that is the UID/GID the webserver runs
>>> under.
>> That's wrong. If your files are owned by Apache, any user that can
>> break into your server through Apache will be able to change those
>> files (i.e., deface your website).
> Why wrong? Concerning webdav, how would you get write acces for users to
> write to directories?
> 
> Now I am a little bit confused, is your answer under
> http://www.linux-archive.org/centos/354005-webdav-centos.html also
> wrong now? You recommended apache:apache for webdav there.

Webdav resources typically need write access.

> By the way, if someone breaks into your server through Apache,
> apache:apache is your lowest problem, that's my opinion.

It is a fairly high risk if you run server-side code (php, perl, etc) 
for anything.  It lets the intruder write where apache is allowed to 
write.  That doesn't have to be anywhere unless you permit uploads.

-- 
   Les Mikesell
    lesmikesell@xxxxxxxxx


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux