[GRLUG] recommended permissions/owners for apache files

[Tanner Swett]

Now, I don't know what common practice is, but here are the facts I know:

> 1. The document root directory itself. That seems to need to be owned by
> the administrative user of the server and need '755' permissions? Who
> actually executes those files? the 'apache' user?

Remember, the execute bit on a directory indicates whether you can get
a directory listing, not whether you can execute the files in the
directory. 755 will allow anyone to read or list the directory, and
only the administrative user to create files in it.

> 2. HTML, CSS, JS and PHP files: should these be owned by apache? With
> what permissions?

You will probably be both reading and writing those files, while
apache will probably only be reading them. I'm guessing nobody will be
executing any of the files, except maybe the PHP ones. So, you should
set permissions accordingly.

> 3. I've also got a number of text files that my php scripts write to.
> What should the settings be here? Again, owned by apache? but maybe
> '600' permissions? Some of these, once they're written to my server,
> need to be uploaded (php curl) to a 3rd party app on a different server
> (not mine). Does this affect what I need to do with permissions?

Your PHP scripts can't write to them unless apache has write access (I
think), so give apache read and write. Whether you need additional
permissions for the curl to work depends on what user is doing the
curling.

I don't know if groups are commonly used for this, but it seems like a
good idea to create a group containing apache and the administrative
user, and make all files group-owned by that group.

I hope this is more help than harm. :)

Tanner

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.