You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Godrej <ja...@yahoo.in> on 2011/02/03 20:48:42 UTC
[users@httpd] giving write permissions to apache user on some folders in document root
Hi,
I am trying to get a few Content Management Systems up and running.
But I have security concerns with respect to them
1) please see following link
http://www.dokeos.com/doc/installation_guide.html section 2 says
The following directories need to be readable, writeable and executable for
everyone:
* dokeos/main/inc/conf/
* dokeos/main/upload/users/
* dokeos/main/default_course_document/
* dokeos/archive/
* dokeos/courses/
* dokeos/home/
I am not very happy with this idea of having directories to be
readable,writeable and executable for every one.
2) http://doc.claroline.net/en/index.php/Install_general_information
the section
Rights on folders says
" If you don't want to set write access on the whole folders, which is
recommended for security reasons, give to the web server user write access on
these folders : "
Is this a recommended practice.?
3) Also another LMS (Learning Management System) while installing asked to give
some folders writeable and executable for every one
here is a link
http://atutor.ca/atutor/docs/installation.php
While installing it I got a message
“The directory you specify must be created if it does not already exist
and be writeable by the webserver. On Unix machines issue the command chmod
a+rwx content, additionally the path may not contain any symbolic links.
chmod a+rwx /var/www/atutor/content”
4) Another LMS docebolms asked to give write permissions on
files/doceboCore/photo
files/common/users
files/doceboLms/course
files/doceboLms/forum
files/doceboLms/item
files/doceboLms/message
files/doceboLms/project
files/doceboLms/scorm
files/doceboLms/test
I checked its documentation
http://www.docebo.org/doceboCms/index.php?mn=docs&op=docs&pi=5_4&folder=7
but was not that helpful.
I am not at all convinced by the idea of giving permissions to read,write and
execute as these Learning Management Systems say.
Let me know what you people have to say?
What is the best practise in such situations?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] giving write permissions to apache user on some
folders in document root
Posted by Scott Gifford <sg...@suspectclass.com>.
On Thu, Feb 3, 2011 at 2:48 PM, James Godrej <ja...@yahoo.in> wrote:
[ ... ]
> I am not at all convinced by the idea of giving permissions to read,write
> and
> execute as these Learning Management Systems say.
> Let me know what you people have to say?
> What is the best practise in such situations?
>
James,
You are right that making these directories writable by the Web server or
world-writable increases your security risk, since in many cases it allows
escalating the ability to write to the filesystem to the ability to execute
arbitrary code as your Web server user.
One option for mitigating this is to carefully configure the Apache-writable
directories so they will not execute content, by limiting the types of
content allowed there, disabling CGI execution, making sure .htaccess files
are ignored, etc. Generally the content of these directories will be static
images and so won't need to be executed.
You may find you are able to run the content-management part of the system
using a different Apache instance than the user-viewable part. That would
let you make these directories writable by the admin Apache instance but not
the public one, then protect that Apache instance with firewall rules, a
strong password, SSL, etc. This would most likely require a bit of work.
Finally, you can carefully review the security of these applications, their
history of security incidents, etc. to determine if they are reliable enough
to be trusted with this sort of access. If not, try to find one that is.
Sorry there are no simple answers there, but hopefully it is helpful.
------Scott.