On Thu, 2005-08-25 at 16:53 -0500, Jeff Vian wrote: > The next thing you need is for the user to be able to write to > the /var/www/html directory. > > To accomplish that I make the applicable users members of the apache > group, set their umask accordingly (the files created/modified need to > be group writable so I use 002 for the umask.), and last set > the /var/www/html directory and contents as group writeable "chmod -R > g+w /var/www/html". > > While there are other ways to achieve the same thing this works for me > and does not change security in any way except to make the /var/www/html > directory to be group writable by the apache group. Since the server is > already able to write to that directory tree as the owner (apache) it > seems to me to not make a big difference. Since when? /var/www/html is owned by root by default: # rpm -qlv httpd | grep /var/www/html drwxr-xr-x 2 root root 0 Jul 26 11:14 /var/www/html Making it writable by the web server is a bad thing as far as security goes. Having a group able to write to this directory is a reasonable suggestion, but that group should be a custom one you create for this purpose (e.g. "groupadd webdev"), not apache. > If you are running selinux it likely has other ramifications that are > not addressed above. Indeed; SELinux will require that the appropriate context is set for files that need to be accessed via httpd. See "man httpd_selinux". Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
