[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
> Why would you not want apache to own the files? I have a server that
> is in a sandbox which works fine when files are owned by apache. The 
> permissions are set to 644.

Sure, it'll read them fine, like that.  But if there happens to be an
exploit in the server, or a script that is accessed through the server,
then it can re-write the files (potentially, maliciously).  If they're
owned by something else, it can't do so.

> Doesn't apache serve the files but the viewer of the file is
> requesting the files with different permissions?

We have three basic permission groups:  Owner, a group, and other.  As
far as HTTP serving is concerned, it's "other" people accessing the
files.  Those permissions apply to them, they should only get read
access.

Of course this means some work is involved in writing new files to the
webserver.  One can make the HTML directory owned by the author, if you
trust them not to make mistakes.  You can create user-owned
sub-directories in it.  You can create files in your homespace, and
serve them from there, or copy them to the HTML directory.  Probably a
sensible solution is to make a new webauthors group, and let them own
the HTML directory with rwx permissions.

-- 
(This PC runs FC4, my others FC5 & FC6, in case that's important
 to the thread)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]
  Powered by Linux