[GRLUG] recommended permissions/owners for apache files

[L. V. Lammert]

At 03:47 PM 10/12/2010, you wrote:

> > 2. HTML, CSS, JS and PHP files: should these be owned by apache? With
> > what permissions?
>
>You will probably be both reading and writing those files, while
>apache will probably only be reading them. I'm guessing nobody will be
>executing any of the files, except maybe the PHP ones. So, you should
>set permissions accordingly.

NO files should be executable, .. php files are just read by apache 
and interpreted; any executable permissions is a BIG security hole.

> > 3. I've also got a number of text files that my php scripts write to.
> > What should the settings be here? Again, owned by apache? but maybe
> > '600' permissions? Some of these, once they're written to my server,
> > need to be uploaded (php curl) to a 3rd party app on a different server
> > (not mine). Does this affect what I need to do with permissions?
>
>Your PHP scripts can't write to them unless apache has write access (I
>think), so give apache read and write. Whether you need additional
>permissions for the curl to work depends on what user is doing the
>curling.

If you have writable files (sessions, logs, ..), put then in a 
sub-directory that is itself apache-writable, .. that way you can 
localize any risks. Keep all other directories NON writable by the apache UID.

The subdirectory in only visible in code and then should not appear 
in the html returned to the user, again lessening the security risk.

>I don't know if groups are commonly used for this, but it seems like a
>good idea to create a group containing apache and the administrative
>user, and make all files group-owned by that group.

Nope. Groups are used to allow more than one *user* to change files 
in a directory - never allow apache write access to any files (except 
those in the restricted directory above).

         HTH,

         Lee


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.