You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2010/07/29 19:15:53 UTC
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
> Oh man an experienced sys admin told me to do it that way.
> Please tell me what is wrong in this and where is this documented on Apache
> docs.
> I want to read.
This is a general principle -- don't grant more access than necessary.
Apache doesn't need to own files to be able to serve (read) them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Posted by Frank Gingras <fr...@gmail.com>.
On 07/29/2010 01:15 PM, Eric Covener wrote:
>> Oh man an experienced sys admin told me to do it that way.
>> Please tell me what is wrong in this and where is this documented on Apache
>> docs.
>> I want to read.
>
>
> This is a general principle -- don't grant more access than necessary.
> Apache doesn't need to own files to be able to serve (read) them.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
James,
Please also see:
http://www.catb.org/~esr/faqs/smart-questions.html
I trust you will find it useful when interacting with other members of
the community.
Frank.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by James Godrej <ja...@yahoo.in>.
Original poster can you post the end result of entire discussion.
________________________________
On Fri, Jul 30, 2010 at 1:31 PM, adp002 <ad...@aol.com> wrote:
>
> Folks,
>
> I've been following your conversation about granting too much file access to
>hackers. I utilize Norton Internet Security Intrusion Protection and to date
>have had no problems with intruders. I wish to take the risk and set up a
>symbolic link between htdocs in Program Files and a folder on my
>desktop....using the System Administrator Prompt, so that I can easily modify
>files and then save them within htdocs. After setting up the
>administrative-level symbolic link, what directives in conf.ini for Apache
>2.2.15 would I need to change? Thanks.
> PS. I do take frequent full system image backups, so I'm willing to take a
>risk, as I mentioned. Thanks again.
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Posted by Eric Covener <co...@gmail.com>.
On Fri, Jul 30, 2010 at 1:31 PM, adp002 <ad...@aol.com> wrote:
>
> Folks,
>
> I've been following your conversation about granting too much file access to hackers. I utilize Norton Internet Security Intrusion Protection and to date have had no problems with intruders. I wish to take the risk and set up a symbolic link between htdocs in Program Files and a folder on my desktop....using the System Administrator Prompt, so that I can easily modify files and then save them within htdocs. After setting up the administrative-level symbolic link, what directives in conf.ini for Apache 2.2.15 would I need to change? Thanks.
> PS. I do take frequent full system image backups, so I'm willing to take a risk, as I mentioned. Thanks again.
You should just add an Alias and a <Directory> block to your
configuration to access a directory outside of your document root.
The contents of the <Directory> should look just like the one you
already have for your DocumentRoot.
If it does't work, read your error log and followup here along with
your configuration and what URL you're requesting.
>
>
> Alan
>
> -------Original Message-------
>
> From: Frank Gingras
> Date: 7/30/2010 12:09:52 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
>
>
> On 07/30/2010 12:01 PM, Sander Temme wrote:
> >
> > On Jul 30, 2010, at 7:34 AM, Frank Gingras wrote:
> >
> >> May I borrow excerpts from your response for a wiki article? We answer those questions over and over, and I would very much like to link to a complete response instead.
> >
> > I put my response on my blog: http://www.temme.net/sander/2010/07/30/file-system-permissions-for-apache/
> >
> > Quote away! Attribution appreciated.
> >
> > S.
> >
>
> Sander,
>
> Pardon the direct reply, but I wanted to thank you personally for your
> contribution.
>
> Have a great admin day!
>
> Frank
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by James Godrej <ja...@yahoo.in>.
Ha ha ha :)
I don't mean to offend you but ya your original question got lost in this
conversation.
________________________________
From: adp002 <ad...@aol.com>
To: users@httpd.apache.org
Sent: Fri, 30 July, 2010 11:01:15 PM
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to view
[this file]
Folks,
I've been following your conversation about granting too much file access to
hackers. I utilize Norton Internet Security Intrusion Protection and to date
have had no problems with intruders. I wish to take the risk and set up a
symbolic link between htdocs in Program Files and a folder on my
desktop....using the System Administrator Prompt, so that I can easily modify
files and then save them within htdocs. After setting up the
administrative-level symbolic link, what directives in conf.ini for Apache
2.2.15 would I need to change? Thanks.
PS. I do take frequent full system image backups, so I'm willing to take a risk,
as I mentioned. Thanks again.
Alan
-------Original Message-------
From: Frank Gingras
Date: 7/30/2010 12:09:52 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to view
[this file]
On 07/30/2010 12:01 PM, Sander Temme wrote:
>
> On Jul 30, 2010, at 7:34 AM, Frank Gingras wrote:
>
>> May I borrow excerpts from your response for a wiki article? We answer those
>>questions over and over, and I would very much like to link to a complete
>>response instead.
>
> I put my response on my blog:
>http://www.temme.net/sander/2010/07/30/file-system-permissions-for-apache/
>
> Quote away! Attribution appreciated.
>
> S.
>
Sander,
Pardon the direct reply, but I wanted to thank you personally for your
contribution.
Have a great admin day!
Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by adp002 <ad...@aol.com>.
Folks,
I've been following your conversation about granting too much file access to
hackers. I utilize Norton Internet Security Intrusion Protection and to date
have had no problems with intruders. I wish to take the risk and set up a
symbolic link between htdocs in Program Files and a folder on my desktop...
using the System Administrator Prompt, so that I can easily modify files and
then save them within htdocs. After setting up the administrative-level
symbolic link, what directives in conf.ini for Apache 2.2.15 would I need to
change? Thanks.
PS. I do take frequent full system image backups, so I'm willing to take a
risk, as I mentioned. Thanks again.
Alan
-------Original Message-------
From: Frank Gingras
Date: 7/30/2010 12:09:52 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
On 07/30/2010 12:01 PM, Sander Temme wrote:
>
> On Jul 30, 2010, at 7:34 AM, Frank Gingras wrote:
>
>> May I borrow excerpts from your response for a wiki article? We answer
those questions over and over, and I would very much like to link to a
complete response instead.
>
> I put my response on my blog: http://www.temme
net/sander/2010/07/30/file-system-permissions-for-apache/
>
> Quote away! Attribution appreciated.
>
> S.
>
Sander,
Pardon the direct reply, but I wanted to thank you personally for your
contribution.
Have a great admin day!
Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Posted by Frank Gingras <fr...@gmail.com>.
On 07/30/2010 12:01 PM, Sander Temme wrote:
>
> On Jul 30, 2010, at 7:34 AM, Frank Gingras wrote:
>
>> May I borrow excerpts from your response for a wiki article? We answer those questions over and over, and I would very much like to link to a complete response instead.
>
> I put my response on my blog: http://www.temme.net/sander/2010/07/30/file-system-permissions-for-apache/
>
> Quote away! Attribution appreciated.
>
> S.
>
Sander,
Pardon the direct reply, but I wanted to thank you personally for your
contribution.
Have a great admin day!
Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by Sander Temme <sc...@apache.org>.
On Jul 30, 2010, at 7:34 AM, Frank Gingras wrote:
> May I borrow excerpts from your response for a wiki article? We answer those questions over and over, and I would very much like to link to a complete response instead.
I put my response on my blog: http://www.temme.net/sander/2010/07/30/file-system-permissions-for-apache/
Quote away! Attribution appreciated.
S.
--
Sander Temme
sctemme@apache.org
PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Posted by Frank Gingras <fr...@gmail.com>.
On 07/30/2010 03:13 AM, Sander Temme wrote:
> James,
>
> The Apache HTTP Server needs read access to its configuration files and the files it serves. In and of itself, the server does not need write access anywhere on the system: even its log files are opened for write when the server is still root, and the open file descriptors passed to the child processes which change their user id to the lesser privileged user.
>
> Read access only. The web server user should not own, or be able to write to, its configuration files or content.
>
> Content, other than CGI scripts, generally does not need Execute permissions. Even PHP files that are interpreted by the server do not need to be Executable.
>
> Certain applications, especially publishing platforms and Content Management Systems that you manage and populate through the web server itself using a browser, require that certain directories on the system be made writable by the web server user. You can do this by changing the owner of the directory to that user (usually www but ymmv), or by making the directory group-writable and changing the group to the group as which Apache runs.
>
> Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for 'r57' for an example of what such code can do.
>
> If a web app needs writable directories, it's often better to have those outside the DocumentRoot: that way the uploads can't be accessed from the outside through a direct URL. Some applications (Wordpress for instance) support this, others do not.
>
> In many cases, writable directories are not strictly necessary even though the web app might like them: rather than upload plugins (which contain code that gets executed or interpreted, yech!) through the web browser, upload them through ssh and manually unpack them on the server. The CMS Joomla! likes to write its configuration file to the Document Root on initial install (which promptly becomes a popular attack target) but if it can't write to the Document Root, it will output the config to the browser to the user can manually upload it.
>
> Hope this helps.
>
> S.
>
> On Jul 29, 2010, at 5:35 PM, James Godrej wrote:
>
>> This I understand.
>> But then do other users not need read write permissions.
>> There is hardly any thing given on this page
>> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
>> You mentioned ServerRoot not be chowned to Apache.
>> But if not then to what should it be and there is nothing about Document Root to be chowned ?
>> Who should own the Document Root there are many applications I download from internet in their README pages it says
>> to chown those directories to apache.
>> Otherwise it never worked.
>> What should I do in this situation?
>>
>> From: Eric Covener<co...@gmail.com>
>> To: users@httpd.apache.org
>> Sent: Thu, 29 July, 2010 10:45:53 PM
>> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
>>
>>> Oh man an experienced sys admin told me to do it that way.
>>> Please tell me what is wrong in this and where is this documented on Apache
>>> docs.
>>> I want to read.
>>
>>
>> This is a general principle -- don't grant more access than necessary.
>> Apache doesn't need to own files to be able to serve (read) them.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See<URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
>
Sander,
May I borrow excerpts from your response for a wiki article? We answer
those questions over and over, and I would very much like to link to a
complete response instead.
Thank you.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by Rich Bowen <rb...@rcbowen.com>.
Unfortunately, an awful lot of posts on forums, and "apache help"
websites is either utter nonsense, or people more concerned with "just
get it working" than actually doing things right.
On Jul 30, 2010, at 9:40 AM, James Godrej wrote:
> Sander,
> Thanks for such detailed reply.
> I have seen on many forums and use groups people tell to
> chown apache:apache /var/www
> or
> chown nobody:nobody /var/www
> chown www-data:www-data /var/www
>
> If some one is reading from the documentation team I will suggest
> include Sander's reply to the appropriate page.
> This is what is needed to be known.
>
> I have seen reply's on forums where people kept their Document Root
> in home directory and
> the similar problems which original poster posted in this thread
> were solved on other forums by changing the permissions they way I
> said.
> Thanks for the detailed reply.
>
>
>
> From: Sander Temme <sc...@apache.org>
> To: users@httpd.apache.org
> Sent: Fri, 30 July, 2010 12:43:28 PM
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have
> permission to view [this file]
>
> James,
>
> The Apache HTTP Server needs read access to its configuration files
> and the files it serves. In and of itself, the server does not need
> write access anywhere on the system: even its log files are opened
> for write when the server is still root, and the open file
> descriptors passed to the child processes which change their user id
> to the lesser privileged user.
>
> Read access only. The web server user should not own, or be able to
> write to, its configuration files or content.
>
> Content, other than CGI scripts, generally does not need Execute
> permissions. Even PHP files that are interpreted by the server do
> not need to be Executable.
>
> Certain applications, especially publishing platforms and Content
> Management Systems that you manage and populate through the web
> server itself using a browser, require that certain directories on
> the system be made writable by the web server user. You can do this
> by changing the owner of the directory to that user (usually www but
> ymmv), or by making the directory group-writable and changing the
> group to the group as which Apache runs.
>
> Making directories writable by the web server should be done only
> with care and consideration. The usual threat model is that someone
> manages to upload (for instance) a PHP script of their own making
> into the document root, and simply executes that by accessing it
> through a browser. Now someone is executing code on your machine.
> Google for 'r57' for an example of what such code can do.
>
> If a web app needs writable directories, it's often better to have
> those outside the DocumentRoot: that way the uploads can't be
> accessed from the outside through a direct URL. Some applications
> (Wordpress for instance) support this, others do not.
>
> In many cases, writable directories are not strictly necessary even
> though the web app might like them: rather than upload plugins
> (which contain code that gets executed or interpreted, yech!)
> through the web browser, upload them through ssh and manually unpack
> them on the server. The CMS Joomla! likes to write its
> configuration file to the Document Root on initial install (which
> promptly becomes a popular attack target) but if it can't write to
> the Document Root, it will output the config to the browser to the
> user can manually upload it.
>
> Hope this helps.
>
> S.
>
> On Jul 29, 2010, at 5:35 PM, James Godrej wrote:
>
> > This I understand.
> > But then do other users not need read write permissions.
> > There is hardly any thing given on this page
> > http://httpd.apache.org/docs/trunk/misc/
> security_tips.html#serverroot
> > You mentioned ServerRoot not be chowned to Apache.
> > But if not then to what should it be and there is nothing about
> Document Root to be chowned ?
> > Who should own the Document Root there are many applications I
> download from internet in their README pages it says
> > to chown those directories to apache.
> > Otherwise it never worked.
> > What should I do in this situation?
> >
> > From: Eric Covener <co...@gmail.com>
> > To: users@httpd.apache.org
> > Sent: Thu, 29 July, 2010 10:45:53 PM
> > Subject: Re: [users@httpd] Apache 2.2.15 says You do not have
> permission to view [this file]
> >
> > > Oh man an experienced sys admin told me to do it that way.
> > > Please tell me what is wrong in this and where is this
> documented on Apache
> > > docs.
> > > I want to read.
> >
> >
> > This is a general principle -- don't grant more access than
> necessary.
> > Apache doesn't need to own files to be able to serve (read) them.
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
>
>
> --
> Sander Temme
> sctemme@apache.org
> PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Rich Bowen
rbowen@rcbowen.com
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by James Godrej <ja...@yahoo.in>.
Sander,
Thanks for such detailed reply.
I have seen on many forums and use groups people tell to
chown apache:apache /var/www
or
chown nobody:nobody /var/www
chown www-data:www-data /var/www
If some one is reading from the documentation team I will suggest include
Sander's reply to the appropriate page.
This is what is needed to be known.
I have seen reply's on forums where people kept their Document Root in home
directory and
the similar problems which original poster posted in this thread
were solved on other forums by changing the permissions they way I said.
Thanks for the detailed reply.
________________________________
From: Sander Temme <sc...@apache.org>
To: users@httpd.apache.org
Sent: Fri, 30 July, 2010 12:43:28 PM
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
James,
The Apache HTTP Server needs read access to its configuration files and the
files it serves. In and of itself, the server does not need write access
anywhere on the system: even its log files are opened for write when the server
is still root, and the open file descriptors passed to the child processes which
change their user id to the lesser privileged user.
Read access only. The web server user should not own, or be able to write to,
its configuration files or content.
Content, other than CGI scripts, generally does not need Execute permissions.
Even PHP files that are interpreted by the server do not need to be Executable.
Certain applications, especially publishing platforms and Content Management
Systems that you manage and populate through the web server itself using a
browser, require that certain directories on the system be made writable by the
web server user. You can do this by changing the owner of the directory to that
user (usually www but ymmv), or by making the directory group-writable and
changing the group to the group as which Apache runs.
Making directories writable by the web server should be done only with care and
consideration. The usual threat model is that someone manages to upload (for
instance) a PHP script of their own making into the document root, and simply
executes that by accessing it through a browser. Now someone is executing code
on your machine. Google for 'r57' for an example of what such code can do.
If a web app needs writable directories, it's often better to have those outside
the DocumentRoot: that way the uploads can't be accessed from the outside
through a direct URL. Some applications (Wordpress for instance) support this,
others do not.
In many cases, writable directories are not strictly necessary even though the
web app might like them: rather than upload plugins (which contain code that
gets executed or interpreted, yech!) through the web browser, upload them
through ssh and manually unpack them on the server. The CMS Joomla! likes to
write its configuration file to the Document Root on initial install (which
promptly becomes a popular attack target) but if it can't write to the Document
Root, it will output the config to the browser to the user can manually upload
it.
Hope this helps.
S.
On Jul 29, 2010, at 5:35 PM, James Godrej wrote:
> This I understand.
> But then do other users not need read write permissions.
> There is hardly any thing given on this page
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
> You mentioned ServerRoot not be chowned to Apache.
> But if not then to what should it be and there is nothing about Document Root
>to be chowned ?
> Who should own the Document Root there are many applications I download from
>internet in their README pages it says
>
> to chown those directories to apache.
> Otherwise it never worked.
> What should I do in this situation?
>
> From: Eric Covener <co...@gmail.com>
> To: users@httpd.apache.org
> Sent: Thu, 29 July, 2010 10:45:53 PM
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to
>view [this file]
>
> > Oh man an experienced sys admin told me to do it that way.
> > Please tell me what is wrong in this and where is this documented on Apache
> > docs.
> > I want to read.
>
>
> This is a general principle -- don't grant more access than necessary.
> Apache doesn't need to own files to be able to serve (read) them.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Sander Temme
sctemme@apache.org
PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by Sander Temme <sc...@apache.org>.
James,
The Apache HTTP Server needs read access to its configuration files and the files it serves. In and of itself, the server does not need write access anywhere on the system: even its log files are opened for write when the server is still root, and the open file descriptors passed to the child processes which change their user id to the lesser privileged user.
Read access only. The web server user should not own, or be able to write to, its configuration files or content.
Content, other than CGI scripts, generally does not need Execute permissions. Even PHP files that are interpreted by the server do not need to be Executable.
Certain applications, especially publishing platforms and Content Management Systems that you manage and populate through the web server itself using a browser, require that certain directories on the system be made writable by the web server user. You can do this by changing the owner of the directory to that user (usually www but ymmv), or by making the directory group-writable and changing the group to the group as which Apache runs.
Making directories writable by the web server should be done only with care and consideration. The usual threat model is that someone manages to upload (for instance) a PHP script of their own making into the document root, and simply executes that by accessing it through a browser. Now someone is executing code on your machine. Google for 'r57' for an example of what such code can do.
If a web app needs writable directories, it's often better to have those outside the DocumentRoot: that way the uploads can't be accessed from the outside through a direct URL. Some applications (Wordpress for instance) support this, others do not.
In many cases, writable directories are not strictly necessary even though the web app might like them: rather than upload plugins (which contain code that gets executed or interpreted, yech!) through the web browser, upload them through ssh and manually unpack them on the server. The CMS Joomla! likes to write its configuration file to the Document Root on initial install (which promptly becomes a popular attack target) but if it can't write to the Document Root, it will output the config to the browser to the user can manually upload it.
Hope this helps.
S.
On Jul 29, 2010, at 5:35 PM, James Godrej wrote:
> This I understand.
> But then do other users not need read write permissions.
> There is hardly any thing given on this page
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
> You mentioned ServerRoot not be chowned to Apache.
> But if not then to what should it be and there is nothing about Document Root to be chowned ?
> Who should own the Document Root there are many applications I download from internet in their README pages it says
> to chown those directories to apache.
> Otherwise it never worked.
> What should I do in this situation?
>
> From: Eric Covener <co...@gmail.com>
> To: users@httpd.apache.org
> Sent: Thu, 29 July, 2010 10:45:53 PM
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
>
> > Oh man an experienced sys admin told me to do it that way.
> > Please tell me what is wrong in this and where is this documented on Apache
> > docs.
> > I want to read.
>
>
> This is a general principle -- don't grant more access than necessary.
> Apache doesn't need to own files to be able to serve (read) them.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Sander Temme
sctemme@apache.org
PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by Rich Bowen <rb...@rcbowen.com>.
On Jul 29, 2010, at 8:35 PM, James Godrej wrote:
> This I understand.
> But then do other users not need read write permissions.
> There is hardly any thing given on this page
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
> You mentioned ServerRoot not be chowned to Apache.
> But if not then to what should it be and there is nothing about
> Document Root to be chowned ?
> Who should own the Document Root there are many applications I
> download from internet in their README pages it says
> to chown those directories to apache.
> Otherwise it never worked.
> What should I do in this situation?
If an application tells you you must chown it to Apache, then that's a
clear indication that the authors of that application have no concern
for security, and the application should be avoided.
--
Rich Bowen
rbowen@rcbowen.com
Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
Posted by Frank Gingras <fr...@gmail.com>.
On 29/07/2010 8:35 PM, James Godrej wrote:
> This I understand.
> But then do other users not need read write permissions.
> There is hardly any thing given on this page
> http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
> You mentioned ServerRoot not be chowned to Apache.
> But if not then to what should it be and there is nothing about Document Root to
> be chowned ?
> Who should own the Document Root there are many applications I download from
> internet in their README pages it says
>
> to chown those directories to apache.
> Otherwise it never worked.
> What should I do in this situation?
>
>
>
>
> ________________________________
> From: Eric Covener<co...@gmail.com>
> To: users@httpd.apache.org
> Sent: Thu, 29 July, 2010 10:45:53 PM
> Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to
> view [this file]
>
>
>> Oh man an experienced sys admin told me to do it that way.
>> Please tell me what is wrong in this and where is this documented on Apache
>> docs.
>> I want to read.
>>
>
> This is a general principle -- don't grant more access than necessary.
> Apache doesn't need to own files to be able to serve (read) them.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
Discard the installation instruction for that software, as it's rubbish.
See man chmod instead.
Alternately, you can chgrp that resource to the group apache httpd runs
as, and grant g+w on that resource.
As a general rule, never allow any application to write in the
DocumentRoot path, unless it's done during the installation. Always take
the write permissions away afterwards. If you must grant write access,
do it outside the DocumentRoot path.
Is that succinct enough?
Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.15 says You do not have permission to view [this file]
Posted by James Godrej <ja...@yahoo.in>.
This I understand.
But then do other users not need read write permissions.
There is hardly any thing given on this page
http://httpd.apache.org/docs/trunk/misc/security_tips.html#serverroot
You mentioned ServerRoot not be chowned to Apache.
But if not then to what should it be and there is nothing about Document Root to
be chowned ?
Who should own the Document Root there are many applications I download from
internet in their README pages it says
to chown those directories to apache.
Otherwise it never worked.
What should I do in this situation?
________________________________
From: Eric Covener <co...@gmail.com>
To: users@httpd.apache.org
Sent: Thu, 29 July, 2010 10:45:53 PM
Subject: Re: [users@httpd] Apache 2.2.15 says You do not have permission to
view [this file]
> Oh man an experienced sys admin told me to do it that way.
> Please tell me what is wrong in this and where is this documented on Apache
> docs.
> I want to read.
This is a general principle -- don't grant more access than necessary.
Apache doesn't need to own files to be able to serve (read) them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org