You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jay Jesus Amorin <ja...@gmail.com> on 2008/09/09 05:50:58 UTC
[users@httpd] Re: apache best practice
Hi,
Can anyone help me on apache best practice?
What is the recommended permission of the DocumentRoot?
What is the recommended permission on the files and directories within
the DocumentRoot?
BTW my application is running on LAMP.
Current permission settings:
600 for files
700 for directories
Will this not cause any problem to my LAMP application?
Thanks,
Jay
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache best practice
Posted by Justin Pasher <ju...@newmediagateway.com>.
Jay Jesus Amorin wrote:
> Hi,
>
> Can anyone help me on apache best practice?
>
> What is the recommended permission of the DocumentRoot?
>
> What is the recommended permission on the files and directories within
> the DocumentRoot?
>
> BTW my application is running on LAMP.
>
> Current permission settings:
>
> 600 for files
> 700 for directories
>
>
> Will this not cause any problem to my LAMP application?
>
There was actually a recent thread about this here:
http://article.gmane.org/gmane.comp.apache.user/79053
(assuming the apache daemon is running as the user:group apache:apache)
For the document root, the strictest permissions would be ownership of
root:apache and permissions of 710. This would allow the apache user
directory listing access (required) but not regular users. For the
files, follow the same guidelines (not owned by the apache user, except
if apache specifically needs write access to the file). However, for
files, something like 644 or 604 will be needed, as apache needs read
access. The strictest permissions would be 640 with file ownership of
root:apache. This would allow apache to read the files, not write to
them, and also not allow normal users of the system to read the files.
Keep in mind that by using the strictest permissions, updating the files
on the site becomes a little bit of a chore.
A slightly less secure, but more sensible approach would be to make the
files owned by apache:other_group with permissions 460. This would allow
anyone within the "other_group" group to update the files while still
allowing apache to read everything. The directory permissions could be
owned by apache:other_group with permissions 560. As long as you only
put people you trust in the group, you should be fine.
General rule of thumb for security: don't let the apache user have write
access to files it doesn't need write access to.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org