Tim wrote:
On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote:
Why would you not want apache to own the files? I have a server that
is in a sandbox which works fine when files are owned by apache. The
permissions are set to 644.
Sure, it'll read them fine, like that. But if there happens to be an
exploit in the server, or a script that is accessed through the server,
then it can re-write the files (potentially, maliciously). If they're
owned by something else, it can't do so.
Thanks Tim and replies-listsa1z2-rh !
I might experiment with changing the owner to something else. Before I
changed the file permissions to apache, I could not get the files to
even display without an access error.
The website I have is just used on a network which only I am the only
user for running tests. Funny I know for the purpose of a website to
serve many users.
Doesn't apache serve the files but the viewer of the file is
requesting the files with different permissions?
We have three basic permission groups: Owner, a group, and other. As
far as HTTP serving is concerned, it's "other" people accessing the
files. Those permissions apply to them, they should only get read
access.
I could not read the files served up by apache, testing tomorrow.
Of course this means some work is involved in writing new files to the
webserver. One can make the HTML directory owned by the author, if you
trust them not to make mistakes. You can create user-owned
sub-directories in it. You can create files in your homespace, and
serve them from there, or copy them to the HTML directory. Probably a
sensible solution is to make a new webauthors group, and let them own
the HTML directory with rwx permissions.
I'll have to investigate further on this. I could not write to the
server when apache owned the files.
Isn't apache limited on what it can access, even more than a regular user?
Jim
