You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by jupiter <ju...@gmail.com> on 2012/10/17 13:09:05 UTC
[users@httpd] apache access permission
Hi,
I installed httpd on CentOS 6.2, there is apache user name, but there
is no apache home directory. I have php files which need to access an
ssh key for ssh communication, but the ssh key is "-rw-------"
permission which deny apache to access it. How do you handle apache
access permission? Should I create an apache home directory to let
apache write its data or access it s files to its home directory?
Thank you.
Kind regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache access permission
Posted by jupiter <ju...@gmail.com>.
On 10/18/12, Mark Montague <ma...@catseye.org> wrote:
> But in your original email you said, " the ssh key is "-rw-------"
> permission which deny apache to access it". If apache owns the key, it
> should be able to read it. Or do you mean "/usr/bin/ssh refused to use
> the key, even though it could read it, due to it being in a directory
> owned by another user and/or readable by another user"?
>
> Either way, it's good that you're only using this key for the web
> application and nothing else.
I cannot log in as apache, so I have to login as root to create
directory. I have to fix it by changing directory ownership from root
to apache. The apache account seems set up to be no-login, just
wandering if I could login as apache user, not root user to edit
apache file and directory?
> The apache home directory can be changed, if you want to change it.
Sure, but normally we should not change it.
> The DocumentRoot directive says, "make all files in and below this
> directory available to web clients". Do you want people requesting
> http://your.server/.bashrc or http://your.server/.ssh/id_rsa ? If not,
> make sure that the DocumentRoot directory and the apache home directory
> are two different things.
I know, it is actually in different level, the ocumentRoot = /var/www/html.
> Under CentOS, the default DocumentRoot directory is /var/www/html so if
> you have not changed this, it is OK to have the private ssh key in
> /var/www/.ssh/id_pub since that will not get served to clients.
You are right. Thank you very much Mark.
Cheers.
Jupiter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache access permission
Posted by Mark Montague <ma...@catseye.org>.
On October 18, 2012 5:56 , jupiter <ju...@gmail.com> wrote:
>> For the ssh key, it is important to keep it secure. Anyone who gets
>> this key can use it to log in to any system that trusts the key. So it
>> is best to have the key be single-purpose, used only for your PHP web
>> application and not for anything else. If the key already exists (that
>> is, it was not created just for the use of this PHP web application) and
>> is owned by another user, then that is not great and by letting the user
>> "apache" read (a copy of) the key you may be doing something dangerous.
> The key is only used by PHP web application, so the apache owns that key.
But in your original email you said, " the ssh key is "-rw-------"
permission which deny apache to access it". If apache owns the key, it
should be able to read it. Or do you mean "/usr/bin/ssh refused to use
the key, even though it could read it, due to it being in a directory
owned by another user and/or readable by another user"?
Either way, it's good that you're only using this key for the web
application and nothing else.
>> it would be very bad if your DocumentRoot were /var/www for some reason,
>> as you'd then be making your ssh key available to anyone who could
>> access your web site).
> Are you saying that the apache home directory is in /var/www which
> cannot be changed, but the DocumentRoot should be changed to any other
> directory other than /var/www? The DocumentRoot should not be the same
> directory as the apache home directory for the security reason.
The apache home directory can be changed, if you want to change it.
The DocumentRoot directive says, "make all files in and below this
directory available to web clients". Do you want people requesting
http://your.server/.bashrc or http://your.server/.ssh/id_rsa ? If not,
make sure that the DocumentRoot directory and the apache home directory
are two different things.
Under CentOS, the default DocumentRoot directory is /var/www/html so if
you have not changed this, it is OK to have the private ssh key in
/var/www/.ssh/id_pub since that will not get served to clients.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache access permission
Posted by jupiter <ju...@gmail.com>.
Thanks Mark.
On 10/17/12, Mark Montague <ma...@catseye.org> wrote:
> Also, are you sure you have no home directory for the user "apache"? On
> CentOS systems, if you check in the sixth field of the /etc/passwd entry
> for user "apache", you should see a home directory of /var/www
Yes, you are right.
> For the ssh key, it is important to keep it secure. Anyone who gets
> this key can use it to log in to any system that trusts the key. So it
> is best to have the key be single-purpose, used only for your PHP web
> application and not for anything else. If the key already exists (that
> is, it was not created just for the use of this PHP web application) and
> is owned by another user, then that is not great and by letting the user
> "apache" read (a copy of) the key you may be doing something dangerous.
The key is only used by PHP web application, so the apache owns that key.
> it would be very bad if your DocumentRoot were /var/www for some reason,
> as you'd then be making your ssh key available to anyone who could
> access your web site).
Are you saying that the apache home directory is in /var/www which
cannot be changed, but the DocumentRoot should be changed to any other
directory other than /var/www? The DocumentRoot should not be the same
directory as the apache home directory for the security reason.
Thank you.
Kind regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache access permission
Posted by Mark Montague <ma...@catseye.org>.
On October 17, 2012 7:09 , jupiter <ju...@gmail.com> wrote:
> I installed httpd on CentOS 6.2, there is apache user name, but there
> is no apache home directory. I have php files which need to access an
> ssh key for ssh communication, but the ssh key is "-rw-------"
> permission which deny apache to access it. How do you handle apache
> access permission? Should I create an apache home directory to let
> apache write its data or access it s files to its home directory?
This has nothing to do with home directories, or lack of them. A home
directory is simply a place to store files. However, you can store
files anywhere and grant permissions appropriately.
Also, are you sure you have no home directory for the user "apache"? On
CentOS systems, if you check in the sixth field of the /etc/passwd entry
for user "apache", you should see a home directory of /var/www
For the ssh key, it is important to keep it secure. Anyone who gets
this key can use it to log in to any system that trusts the key. So it
is best to have the key be single-purpose, used only for your PHP web
application and not for anything else. If the key already exists (that
is, it was not created just for the use of this PHP web application) and
is owned by another user, then that is not great and by letting the user
"apache" read (a copy of) the key you may be doing something dangerous.
OpenSSH (/usr/sbin/ssh) will refuse to use a key if the permissions on
either it or the directory it is in allow access for other users. So
rather than setting permissions on the current copy of the key (which
from what you write above is owned by a different user than "apache")
you'll probably want to make a copy of the key. If user "apache" has the
home directory /var/www, then a natural place to put this copy is
/var/www/.ssh/ (assuming your DocumentRoot directory is /var/www/html,
it would be very bad if your DocumentRoot were /var/www for some reason,
as you'd then be making your ssh key available to anyone who could
access your web site).
If you want to use a ssh key that is stored somewhere else other than
the user "apache" home directory, the "-i" option to ssh will allow you
to do this. See the ssh manual page for more information.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org