You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Hiep Nguyen <hi...@ee.ucr.edu> on 2008/03/05 16:51:41 UTC

[users@httpd] permission on /var/www & /var/www/html

hi all,

assume apache runs under apache user/group and i have a user/group name 
"weber". i use "weber" user to upload files via ftp/sftp.

where should i place my include files so that no one can access except 
apache b/c these files contained user/pw for mysql.

i usually place them in /var/www/html/includes, but people can access to 
this folder, so i'm thinking place them in /var/www/includes.

what should the permission for /var/www/html and /var/www/inclues/? what 
group should these two directories belong to???

thanks,
t. hiep

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] permission on /var/www & /var/www/html

Posted by Boyle Owen <Ow...@swx.com>.

> -----Original Message-----
> From: Hiep Nguyen [mailto:hiep@ee.ucr.edu] 
> Sent: Wednesday, March 05, 2008 4:52 PM
> To: Apache Users
> Cc: centos@centos.org
> Subject: [users@httpd] permission on /var/www & /var/www/html
> 
> hi all,
> 
> assume apache runs under apache user/group and i have a 
> user/group name 
> "weber". i use "weber" user to upload files via ftp/sftp.
> 
> where should i place my include files so that no one can 
> access except 
> apache b/c these files contained user/pw for mysql.

I assume you mean files that are included by httpd.conf - ie, they
contain apache config directives...

> 
> i usually place them in /var/www/html/includes, but people 
> can access to 
> this folder, so i'm thinking place them in /var/www/includes.

I assume by "access" you mean access via HTTP - not that they can login
and read them with vi...

> 
> what should the permission for /var/www/html and 
> /var/www/inclues/? what 
> group should these two directories belong to???

If /var/www/includes contains config data then it needs only to be
readable by apache. It also has to have write permission for the user
that edits the file (probably apache too) so just making the dir owned
by apache and with default permissions should do it. Eg:

ls -ld /var/www/includes
drwxr-xr-x  13 apache  apache     4096 Mar  5 17:12 /var/www/includes
  ^
  apache can edit it

NB Assuming your docroot is /var/www/html, web users cannot access this
dir sice it is above the docroot. However, anyone logging in via a shell
can still read it. If you want to block this too, remove the read
permission for "others", Eg:

chmod o-r,o-x /var/www/includes
ls -ld /var/www/includes
drwxr-x---  13 apache  apache     4096 Mar  5 17:12 /var/www/includes
       ^
	 others can't read it

If /var/www/html contains the content of your site then apache only
needs to be able to read it. The user that edits the content (weber?)
also needs write permission. Simplest thing is to make it owned by weber
with default permissions. Eg:

ls -ld /var/www/html
drwxr-xr-x  13 weber  weber     4096 Mar  5 17:12 /var/www/html
       ^
       apache can read it

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


> 
> thanks,
> t. hiep
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org