On 21/02/07, Jim Cornette <fc-cornette@xxxxxxxxxxxxxx> wrote:
Tim wrote: > On Tue, 2007-02-20 at 07:11 -0500, Jim Cornette wrote: >> Why would you not want apache to own the files? I have a server that >> is in a sandbox which works fine when files are owned by apache. The >> permissions are set to 644. > > Sure, it'll read them fine, like that. But if there happens to be an > exploit in the server, or a script that is accessed through the server, > then it can re-write the files (potentially, maliciously). If they're > owned by something else, it can't do so. Thanks Tim and replies-listsa1z2-rh ! I might experiment with changing the owner to something else. Before I changed the file permissions to apache, I could not get the files to even display without an access error. The website I have is just used on a network which only I am the only user for running tests. Funny I know for the purpose of a website to serve many users.
That's what I'm doing as well. I imagine that for a good portion of the live websites on the internet today there are non-public testing versions of the sites, just like what you are doing.
> >> Doesn't apache serve the files but the viewer of the file is >> requesting the files with different permissions? > > We have three basic permission groups: Owner, a group, and other. As > far as HTTP serving is concerned, it's "other" people accessing the > files. Those permissions apply to them, they should only get read > access. I could not read the files served up by apache, testing tomorrow.
I have apache as a group member. So long as the group member has read-only access that's fine, right? Why should apache be 'other' if I am expecting her to access the files?
> Of course this means some work is involved in writing new files to the > webserver. One can make the HTML directory owned by the author, if you > trust them not to make mistakes. You can create user-owned > sub-directories in it. You can create files in your homespace, and > serve them from there, or copy them to the HTML directory. Probably a > sensible solution is to make a new webauthors group, and let them own > the HTML directory with rwx permissions. I'll have to investigate further on this. I could not write to the server when apache owned the files. Isn't apache limited on what it can access, even more than a regular user?
Like Tim said, only SELinux pays special attention to Apache. As far as the kernel is concerned, apache is just another user, as if grandma had an account on the machine. I actually have SELinux disabled, as I've found it too cumbersome at my skill level for a privately-accessed box. However, for a public box you should use it. Dotan Cohen http://technology-sleuth.com/technical_answer/what_is_hdtv.html http://lyricslist.com/lyrics/artist_albums/487/u2.html