Les Mikesell wrote:
> Olaf Mueller wrote:
>> Filipe Brandenburger wrote:
>>
>>> On Tue, Sep 15, 2009 at 06:39, Ralph Angenendt
>>> <ralph.angenendt@xxxxxxxxx> wrote:
>>>> On Tue, 2009-09-15 at 10:20 +0200, Niki Kovacs wrote:
>>>>> I remember having setup some web servers on Debian, and the
>>>>> tradition was that everything under /var/www/html (as in this
>>>>> example) was to be owned by user www-data and group www-data.
>>>>>
>>>>> What's the "tradition" with RHEL/CentOS?
>>>> apache:apache - at least that is the UID/GID the webserver runs
>>>> under.
>>> That's wrong. If your files are owned by Apache, any user that can
>>> break into your server through Apache will be able to change those
>>> files (i.e., deface your website).
>> Why wrong? Concerning webdav, how would you get write acces for users
>> to write to directories?
>>
>> Now I am a little bit confused, is your answer under
>> http://www.linux-archive.org/centos/354005-webdav-centos.html also
>> wrong now? You recommended apache:apache for webdav there.
>
> Webdav resources typically need write access.
>
>> By the way, if someone breaks into your server through Apache,
>> apache:apache is your lowest problem, that's my opinion.
>
> It is a fairly high risk if you run server-side code (php, perl, etc)
> for anything. It lets the intruder write where apache is allowed to
> write. That doesn't have to be anywhere unless you permit uploads.
Yes, that is also my opinion.
The thing, which disturbed me, was the statement "That's wrong.". Since
it is a risk, but not wrong.
regards
Olaf
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
