Apache docroot file permissions, owner & group

lozd · #1 29th April 2006, 05:49 PM

I am running apache under fc5.

Can anybody tell me what should be the permissions, owner and group of files and folders under /var/www/html.

ccrvic · #2 29th April 2006, 06:01 PM

Quote:

Originally Posted by lozd

Can anybody tell me what should be the permissions, owner and group of files and folders under /var/www/html.

That's pretty much down to how you want to use it.

All that's really necessary is that it must be *readable* by apache, and writable by whomever is going to be putting stuff up there...

Vic.

Zigzagcom · #3 29th April 2006, 06:20 PM

On a fresh install the default owner is root. It is a good idea to create either a user or group that has access to the web-root and to set a group bit to keep ownerships in check, but if you are the only user, the defaults should be OK. "Readable" by apache means that "others" can read the files, not necessarily own them. The octal permission is usually 755 or 775, depending on how you need it, but content generally shouldn't be "world" writable.

http://forums.fedoraforum.org/forum/...d.php?t=105980

ccrvic · #4 29th April 2006, 06:25 PM

Quote:

Originally Posted by Zigzagcom

"Readable" by apache means that "others" can read the files

It could do. Or you could have apache as the group owner. It all depends on how you want to do it...

Quote:

Originally Posted by Zigzagcom

content generally shouldn't be "world" writable.

Content should *never* be world-writable.

There is always a way to set up your permissions so that everyone who needs write access will get it - without allowing everyone to write all over your sensitive content...

Vic.

Zigzagcom · #5 30th April 2006, 02:22 AM

Point taken. I ran into an web-app called "loudblog" that does instruct to make a couple of directories world writable (for uploading audio content), but then maybe there is a way to use group permissions instead.

ccrvic · #6 30th April 2006, 10:38 AM

Quote:

Originally Posted by Zigzagcom

I ran into an web-app called "loudblog" that does instruct to make a couple of directories world writable (for uploading audio content)

There are a number of applications that make the same recommendation. It's just sheer laziness on the part of the developers - it means they don't have to think about security. Unfortunately, it opens up the server to attack (particularly if you allow overrides - think .htaccess injection and ExecCGI directives).

It's a large risk, and it's *totally* unnecessary.

Take your example above - a web-based application that allows users to upload files. Now because these files are passed to Apache via some sort of web page, the user that actually does the writes to disk will always be - apache. It doesn't matter who is sending the files, it is apache that does the writes. Thus only apache needs write access to these areas; the recommendation to make the world-writable just doesn't stand up to scrutiny.

Quote:

Originally Posted by Zigzagcom

but then maybe there is a way to use group permissions instead.

There is *always* a way to set up the permissions to do what you want without using world-writable. The only possible exception to that is /tmp, and even then, I've seen 775 on that in certain (slightly strange) circumstances.

Vic.