[nycphp-talk] Webserver file access
Kenneth Dombrowski
kenneth at ylayali.net
Fri Aug 17 20:36:49 EDT 2007
On 07-08-17 14:25 -0400, Anthony Wlodarski wrote:
> Let us talk about theoretical here. If the owner of the web root folder is
> "root" (/var/www/html), should it be changed to the Apache group that is
> created normally. I did a few checks in the /etc/group file and the apache
> group does exist as well my account on the box is part of that group, should
> the web root group be changed apache to make sure that only users of the
> Apache group have controls?
generally, you only want the apache user to have read access to your
files, and read + traverse (execute) access to your directories, the
exception is cgi scripts & the like, where it also needs +x on files
i tend to leave /var/www/html alone because if you use a package
manager, it will think it owns it (it is where it puts the
"congratulations, apache works!" page). in my /var/www root also owns
the default webalizer directory & a bunch of other installed apps
for user-installed sites, i always use VirtualHosts, and i always create
a custom user and group to own them, for the access control benefits i
described. most distros make this easy by including /etc/httpd/conf.d/*
from the system-installed httpd.conf
More information about the talk
mailing list