On 20/02/07, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote: > Why would you not want apache to own the files? I have a server that > is in a sandbox which works fine when files are owned by apache. The > permissions are set to 644. Sure, it'll read them fine, like that. But if there happens to be an exploit in the server, or a script that is accessed through the server, then it can re-write the files (potentially, maliciously). If they're owned by something else, it can't do so. > Doesn't apache serve the files but the viewer of the file is > requesting the files with different permissions? We have three basic permission groups: Owner, a group, and other. As far as HTTP serving is concerned, it's "other" people accessing the files. Those permissions apply to them, they should only get read access. Of course this means some work is involved in writing new files to the webserver. One can make the HTML directory owned by the author, if you trust them not to make mistakes. You can create user-owned sub-directories in it. You can create files in your homespace, and serve them from there, or copy them to the HTML directory. Probably a sensible solution is to make a new webauthors group, and let them own the HTML directory with rwx permissions. -- (This PC runs FC4, my others FC5 & FC6, in case that's important to the thread) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
I've got rootDirectory as /home/user/public_html/, not /var/www. Apache is in the group user. I've got group permission as read only. This way, I can log in as user and modify the files, but apache can only read them. Does anybody see anything dangereous here? I figured that this was the safest way to do it. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/314/ll_cool_j.html http://dagot.com