You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jay Jesus Amorin <ja...@gmail.com> on 2008/09/09 05:50:58 UTC

[users@httpd] Re: apache best practice

Hi,

Can anyone help me on apache best practice?

What is the recommended permission of the DocumentRoot?

What is the recommended permission on the files and directories within
the DocumentRoot?

BTW my application is running on LAMP.

Current permission settings:

600 for files
700 for directories


Will this not cause any problem to my LAMP application?


Thanks,


Jay

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: apache best practice

Posted by Justin Pasher <ju...@newmediagateway.com>.

Jay Jesus Amorin wrote:
> Hi,
>
> Can anyone help me on apache best practice?
>
> What is the recommended permission of the DocumentRoot?
>
> What is the recommended permission on the files and directories within
> the DocumentRoot?
>
> BTW my application is running on LAMP.
>
> Current permission settings:
>
> 600 for files
> 700 for directories
>
>
> Will this not cause any problem to my LAMP application?
>   

There was actually a recent thread about this here:
http://article.gmane.org/gmane.comp.apache.user/79053

(assuming the apache daemon is running as the user:group apache:apache)

For the document root, the strictest permissions would be ownership of 
root:apache and permissions of 710. This would allow the apache user 
directory listing access (required) but not regular users. For the 
files, follow the same guidelines (not owned by the apache user, except 
if apache specifically needs write access to the file). However, for 
files, something like 644 or 604 will be needed, as apache needs read 
access. The strictest permissions would be 640 with file ownership of 
root:apache. This would allow apache to read the files, not write to 
them, and also not allow normal users of the system to read the files. 
Keep in mind that by using the strictest permissions, updating the files 
on the site becomes a little bit of a chore.

A slightly less secure, but more sensible approach would be to make the 
files owned by apache:other_group with permissions 460. This would allow 
anyone within the "other_group" group to update the files while still 
allowing apache to read everything. The directory permissions could be 
owned by apache:other_group with permissions 560. As long as you only 
put people you trust in the group, you should be fine.

General rule of thumb for security: don't let the apache user have write 
access to files it doesn't need write access to.

-- 
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org