You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Greg Platt - Platt Consultants <Gr...@ix.netcom.com> on 2008/09/02 21:15:00 UTC
[users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
I'm throwing in the towel on this question. I've been puzzling over how and
why Apache changed its default document root location and trying to figure
out how that would affect me for weeks now. But no matter how much research
I do the best I've been able to do is to find occasional obtuse references
to the new DocumentRoot in Apache which seems to be /var/www under server
2.x.x with NO explanation at all as to why it was changed or what I should
do with existing Domains as I migrate them to my new server.
I remember someone mentioning in a post I made weeks ago that the ownerships
and permissions on my web directories seemed odd. His remarks suggested he
thought all web directories ought to be owned by www-data and have
permissions of 755. But he never explained why he thought that was true or
what he feared might happen if it WASN'T true. Nevertheless, I remember him
hinting he thought it might have long term security implications.
Unfortunately he provided no references or source links to study up on this
subject and I had NO CLUE where to look for such information either. So I
made a note of his comments and concluded I would watch for information
about this in my readings and research because I figured SOMEWHERE along the
line I'd run into this again.
Perhaps I should explain that on my old RedHat 7.2 server running Apache
1.2.something all web accounts and documents existed in /home/www/mydomain
or /home/www/yourdomain or /home/www/theirdomain and each account at that
level was owned by the site owner. Directories above that in the tree (e.g.
/home/www and above) were all owned by root. In many cases permissions in
the html directory and below were either 744 or 644 and had been that way
for years without causing trouble on my old dedicated server. However, the
www-data user and group did not exist there. There were secondary links to
individual web directories in the site owner's home directory (e.g.
/home/mydomain had a link to /home/www/mydomain, etc.).
There was also another directory link (synonym) at the top of the directory
structure (/) named /www that linked to this same structure. Thus, doing
cd /www/mydomain
was equivalent to doing
cd /home/www/mydomain
or
cd /home/mydomain/www
Since I had no idea when I started setting up my new server that Apache2 on
Debian Etch made a DIFFERENT set of assumptions about where web files would
be located and who would own them, and I had a couple of dozen sites (not to
mention a long list of preconfigured software and shell scripts) that that
were built around the old www structure, I naturally started setting up my
test domains using the web directory structure I was familiar with.
In fact, I already had 3 domains converted and working using that old
structure before I heard anyone even mention www-data and /var/www
Up until now I could ignore the differences because I'd managed to get
everything working fine. But now I've reached a fork in the road. And I'm
not sure which way to go here or even whether I should be concerned about
this.
One thing I know is I LOATH the idea of changing the basic directory
structure for all my old sites unless there's a darn good reason to do so.
If I do that, it could be YEARS before I manage to find and fix all the
configuration and setup parameters and shell scripts that will need to
change because I did so.
Can someone please tell me whether I really NEED to be worrying about this?
And if making this change in all my existing sites and scripts and software
apps is desirable to improve security (i.e. if the move to the new www-data
and /var/www is important), please tell me WHY it is. Truthfully, I don't
doubt the person who suggested this. I just don't understand why this change
is so important or what I gain by making it.
Can YOU explain the reasons for this shift and clarify how Apache 2.x.x now
assumes things should be set-up and can you tell me why it's important? Or,
can you advise me on what to do here based on your own experience?
Thanks!
Re: [users@httpd] Why do I need /var/www as DocumentRoot &
www-data as www owner?
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Tue, Sep 02, 2008 at 04:43:01PM -0400, Eric Covener wrote:
> On Tue, Sep 2, 2008 at 3:15 PM, Greg Platt - Platt Consultants
> <Gr...@ix.netcom.com> wrote:
>
> > I remember someone mentioning in a post I made weeks ago that the ownerships
> > and permissions on my web directories seemed odd. His remarks suggested he
> > thought all web directories ought to be owned by www-data and have
> > permissions of 755.
>
> Generally your webserver (www-data) userid shouldn't own the content
> it's serving (or the directory it lives in)
>
> I think you're taking the packaging decisions of various
> distributions to heart a little too much. You should be able to quite
> easily change a DocumentRoot as you move from host to host.
He *did* say he was coming from Red Hat 7, so I can understand that he
might have developed an allergy to reorganizing things, since RHL will
put them right back again the first time you sneeze. I don't recall
Debian being so, um, insistent, but it's been years since I used
either and things may have changed.
Yes, I would say that the webserver should not own any file it is not
expected to write. The owner of a file owns its permission mask and
can change its own access at will.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
You may be absolutely right here, Eric. Indeed, I hope you ARE right. That's
exactly what I have begun to suspect. When I couldn't find anyone in the
Debian world who could explain why I shouldn't change DocumentRoot on
individual sites when I needed to, I began to suspect I had overreacted to
the original comment (and taken it too seriously). In short I started to
think perhaps there was no good reason. That's why I joined the Apache Users
list to ask. I figured if ANYONE knows a good reason you guys will. ;)
Thanks for the direct feedback, Eric. So far, that's two votes that suggest
it really doesn't matter.
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, September 02, 2008 2:43 PM
To: users@httpd.apache.org; gregplatt@ix.netcom.com
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
On Tue, Sep 2, 2008 at 3:15 PM, Greg Platt - Platt Consultants
<Gr...@ix.netcom.com> wrote:
> I remember someone mentioning in a post I made weeks ago that the
ownerships
> and permissions on my web directories seemed odd. His remarks suggested he
> thought all web directories ought to be owned by www-data and have
> permissions of 755.
Generally your webserver (www-data) userid shouldn't own the content
it's serving (or the directory it lives in)
I think you're taking the packaging decisions of various
distributions to heart a little too much. You should be able to quite
easily change a DocumentRoot as you move from host to host.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Eric Covener <co...@gmail.com>.
On Tue, Sep 2, 2008 at 3:15 PM, Greg Platt - Platt Consultants
<Gr...@ix.netcom.com> wrote:
> I remember someone mentioning in a post I made weeks ago that the ownerships
> and permissions on my web directories seemed odd. His remarks suggested he
> thought all web directories ought to be owned by www-data and have
> permissions of 755.
Generally your webserver (www-data) userid shouldn't own the content
it's serving (or the directory it lives in)
I think you're taking the packaging decisions of various
distributions to heart a little too much. You should be able to quite
easily change a DocumentRoot as you move from host to host.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Eric Covener <co...@gmail.com>.
On Tue, Sep 2, 2008 at 5:10 PM, Greg Platt - Platt Consultants
<Gr...@ix.netcom.com> wrote:
>> You're now using someone elses packaging of the Apache HTTP Server.
>> What Apache change are you referring to?
> On my old RedHat 7.2 server as it was delivered, DocumentRoot for each
> <VirtualDomain> was essentially /home/www/mydomain or /www/mydomain
> depending on your perspective. One was basically a link to the other. In the
> new scheme of things, DocumentRoot was moved (and it seems to have been done
> by Apache themselves) to /var/www.
I doubt Apache ever shipped with a default config that included
mod_vhost_alias. Perhaps RedHat set this up for you, if it really
wasn't configured after the fact.
Apache supports a number of canned layouts that you select at build
time, but they dictate very little in the manner of how you'd add
additional domains / document roots. It's mostly concerned with where
the binaries, documents, and icons are installed relative to eachother
(along with the initial global DocumentRoot, which for a number of
layouts even in 5.3 is /var/www)
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
On my old RedHat 7.2 server as it was delivered, DocumentRoot for each
<VirtualDomain> was essentially /home/www/mydomain or /www/mydomain
depending on your perspective. One was basically a link to the other. In the
new scheme of things, DocumentRoot was moved (and it seems to have been done
by Apache themselves) to /var/www.
On my old server, each virtual host directory and all of the site's web
content was owned by "mydomainowner" and "mydomaingrp" or "yourdomainowner"
and "yourdomaingrp", etc. All directories above that were owned by root. I
was lead to believe that in the "NEW way" of doing things, www-data should
own the entire web directory structure and all of its content.
Does that answer the question, Eric?
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, September 02, 2008 2:55 PM
To: users@httpd.apache.org; gregplatt@ix.netcom.com
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
On Tue, Sep 2, 2008 at 4:44 PM, Greg Platt - Platt Consultants
<Gr...@ix.netcom.com> wrote:
>
> Yes, I realize the DocumentRoot location can be changed. Indeed I've
already
> changed it with the sites I converted earlier. What I came here hoping to
> find is someone who understands WHY it was changed by Apache to begin with
> and who could explain the implications of changing it in a different
way...
> especially since on Debian I can change it from one virtual host to
another.
> Frankly, I haven't found anything yet that says there were technological
or
> security reasons why Apache made this change. Not even their documentation
> suggests such reasons exist. If the answer is there ARE no specific
reasons
> for the change, I'm inclined to ignore it and go with what I already have
> working.
You're now using someone elses packaging of the Apache HTTP Server.
What Apache change are you referring to?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Eric Covener <co...@gmail.com>.
On Tue, Sep 2, 2008 at 4:44 PM, Greg Platt - Platt Consultants
<Gr...@ix.netcom.com> wrote:
>
> Yes, I realize the DocumentRoot location can be changed. Indeed I've already
> changed it with the sites I converted earlier. What I came here hoping to
> find is someone who understands WHY it was changed by Apache to begin with
> and who could explain the implications of changing it in a different way...
> especially since on Debian I can change it from one virtual host to another.
> Frankly, I haven't found anything yet that says there were technological or
> security reasons why Apache made this change. Not even their documentation
> suggests such reasons exist. If the answer is there ARE no specific reasons
> for the change, I'm inclined to ignore it and go with what I already have
> working.
You're now using someone elses packaging of the Apache HTTP Server.
What Apache change are you referring to?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
Your comments are "right on" here, Lester. I think we become our own enemies
when we mindlessly follow the layouts provided by distro authors or hosting
providers like a school of lemmings hell bent on destruction. That makes it
easy for ANYONE who knows the way our distro providers or server hosts do
things to hack our servers in seconds using standard scripts. I had that
happen more than once at my old hosting provider and I'm convinced it was an
"inside job".
There's really nothing wrong with what Apache or Debian did. It's just that
I didn't go to all this work to make it easy for anyone to hack my server.
Thanks very much, but I prefer to dance to the beat of a different drummer.
I agree... rigid conformity at these levels is not necessarily a good thing.
Thanks.
-----Original Message-----
From: Lester Caine [mailto:lester@lsces.co.uk]
Sent: Tuesday, September 02, 2008 11:15 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
Greg Platt - Platt Consultants wrote:
> I'm not arguing for or against what Debian did. One thing I can say is
their
> approach provides an individual VirtualHost file for each domain. It thus
> tends to isolate any damage that might be done in editing httpd.conf to a
> single domain. It also makes it easy to disable one domain using their
> a2dissite utility without any risk of affecting other domains.
>
> Other than that, I honestly don't care. I was actually quite comfortable
> with the httpd.conf approach too. I wasted several hours when I first got
> involved with Debian trying to figure out exactly how their setup
differed.
>
> Indeed, it was just after I'd gone through the struggle of figuring all
that
> out and had gotten my 3 test sites working under the Debian paradigm that
> another Debian user remarked about my "unusual" directory structure and
> expressed the opinion that the entire web structure "should be" owned by
> www-data and all sites should be under /var/www. It was at that point that
I
> began to worry I had somehow misinterpreted Apache and Debian's intent
here.
>
> That's what eventually lead to my first post here today.
I think that there is a little too much 'THIS is the right way!' on some of
the DISTRIBUTIONS of Apache ( and PHP ), but now that I've got used to the
/etc/apache2/ layout ( on SUSE in my case ) I do think it's easier than
Mandrivas /etc/httpd/ . Having to bounce between Windows and Linux, trying
to
emulate some of the Linux ideas in Windows is fun, but worth the effort.
Splitting the .conf up does make sense.
As for the LOCATION of the target files, I think this is more a case of how
each distribution partitions the disk by default. Having /var on the 8Gb
root
partition means that logging and large sites very quickly fill up the
partition, so one almost HAS to move to the 'other' partition which on
Mandriva is /home ....
Alternatively I dropped a 500Gb disk into one of the servers and partitioned
that as /var - I think that will take a time to fill ....
At the end of the day the 'target' users of a distribution determine it's
preferred default and many of them are targeting 'desktop' over 'server' so
NOT providing the most practical layouts for running Apache.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/lsces/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
Posted by Lester Caine <le...@lsces.co.uk>.
Greg Platt - Platt Consultants wrote:
> I'm not arguing for or against what Debian did. One thing I can say is their
> approach provides an individual VirtualHost file for each domain. It thus
> tends to isolate any damage that might be done in editing httpd.conf to a
> single domain. It also makes it easy to disable one domain using their
> a2dissite utility without any risk of affecting other domains.
>
> Other than that, I honestly don't care. I was actually quite comfortable
> with the httpd.conf approach too. I wasted several hours when I first got
> involved with Debian trying to figure out exactly how their setup differed.
>
> Indeed, it was just after I'd gone through the struggle of figuring all that
> out and had gotten my 3 test sites working under the Debian paradigm that
> another Debian user remarked about my "unusual" directory structure and
> expressed the opinion that the entire web structure "should be" owned by
> www-data and all sites should be under /var/www. It was at that point that I
> began to worry I had somehow misinterpreted Apache and Debian's intent here.
>
> That's what eventually lead to my first post here today.
I think that there is a little too much 'THIS is the right way!' on some of
the DISTRIBUTIONS of Apache ( and PHP ), but now that I've got used to the
/etc/apache2/ layout ( on SUSE in my case ) I do think it's easier than
Mandrivas /etc/httpd/ . Having to bounce between Windows and Linux, trying to
emulate some of the Linux ideas in Windows is fun, but worth the effort.
Splitting the .conf up does make sense.
As for the LOCATION of the target files, I think this is more a case of how
each distribution partitions the disk by default. Having /var on the 8Gb root
partition means that logging and large sites very quickly fill up the
partition, so one almost HAS to move to the 'other' partition which on
Mandriva is /home ....
Alternatively I dropped a 500Gb disk into one of the servers and partitioned
that as /var - I think that will take a time to fill ....
At the end of the day the 'target' users of a distribution determine it's
preferred default and many of them are targeting 'desktop' over 'server' so
NOT providing the most practical layouts for running Apache.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/lsces/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
I'm not arguing for or against what Debian did. One thing I can say is their
approach provides an individual VirtualHost file for each domain. It thus
tends to isolate any damage that might be done in editing httpd.conf to a
single domain. It also makes it easy to disable one domain using their
a2dissite utility without any risk of affecting other domains.
Other than that, I honestly don't care. I was actually quite comfortable
with the httpd.conf approach too. I wasted several hours when I first got
involved with Debian trying to figure out exactly how their setup differed.
Indeed, it was just after I'd gone through the struggle of figuring all that
out and had gotten my 3 test sites working under the Debian paradigm that
another Debian user remarked about my "unusual" directory structure and
expressed the opinion that the entire web structure "should be" owned by
www-data and all sites should be under /var/www. It was at that point that I
began to worry I had somehow misinterpreted Apache and Debian's intent here.
That's what eventually lead to my first post here today.
-----Original Message-----
From: Joseph S D Yao [mailto:jsdy@tux.org]
Sent: Tuesday, September 02, 2008 2:59 PM
To: Greg Platt - Platt Consultants
Cc: users@httpd.apache.org
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
I have no clue why the Debian Etch distribution is set up as you
describe.
I do remember discussion about the time /var/www was first used, long
ago, about /var always being a read-write file system even if the others
were mounted read-only from some other medium [CD-ROM, NFS, etc.]. This
seemed to be at least part of the motivation. But I can't speak for
Apache at all.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Joseph S D Yao <js...@tux.org>.
I have no clue why the Debian Etch distribution is set up as you
describe.
I do remember discussion about the time /var/www was first used, long
ago, about /var always being a read-write file system even if the others
were mounted read-only from some other medium [CD-ROM, NFS, etc.]. This
seemed to be at least part of the motivation. But I can't speak for
Apache at all.
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
Your points are all excellent, Justin and very clearly stated too. Frankly,
they're almost exactly the same conclusions I came to on my own. I could see
no reason why Apache should (or would) give a damn about the location of
DocumentRoot or who owns it... ESPECIALLY when they let the user change
DocumentRoot for each virtual host if he wants.
Yet, someone I respect had suggested otherwise and later when I discovered
ISPConfig makes similar assumptions about user and group names and location
for web directories, I thought perhaps I had overlooked something. Thanks
for confirming what I concluded to begin with. It helps me feel I wasn't so
stupid after all. ;)
Also, I want to thank Eric Covener, Jo Yao and Lester Caine who also offered
helpful (and confirming) responses to my question.
Have a GREAT day, guys!
Best Professional Regards,
Greg Platt
-----Original Message-----
From: Justin Pasher [mailto:justinp@newmediagateway.com]
Sent: Tuesday, September 02, 2008 3:07 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
Greg Platt - Platt Consultants wrote:
> Yes, I realize the DocumentRoot location can be changed. Indeed I've
already
> changed it with the sites I converted earlier. What I came here hoping to
> find is someone who understands WHY it was changed by Apache to begin with
> and who could explain the implications of changing it in a different
way...
> especially since on Debian I can change it from one virtual host to
another.
> Frankly, I haven't found anything yet that says there were technological
or
> security reasons why Apache made this change. Not even their documentation
> suggests such reasons exist. If the answer is there ARE no specific
reasons
> for the change, I'm inclined to ignore it and go with what I already have
> working.
>
In regards strictly to technological or security reason for putting the
DocumentRoot under /var/www, /home/www, or any other directory you like,
there are none. The "default" location for this directory is ultimately
up to the end user. Different Linux distributions will use different
default directories. It's all a matter of what the file/directory name
standard is for that distro. The same goes for the user account used to
run the daemon (www-data for Debian, apache for RedHat based, I believe,
etc).
The security of the directory is only determined by YOU (i.e. how secure
you MAKE it). The apache user (whether it be apache, www-data, nobody,
or any other system user) simply needs execute access on the
DocumentRoot directory (and all parent directories) and read permission
on the files it will be serving. The files themselves do not need to be
owned by the apache user, nor do they need write access, unless you
specifically want this (e.g. a script that allows the user to upload a
file and it's stored in a directory under DocumentRoot). In fact, it can
potentially be a security risk if the files allow the apache user write
access (what happens if someone hacks a script and it attempts to modify
a file on the website?).
In general, I find it best to simply follow the naming conventions of
the distro (you can use symlinks if needed to make it easier for
transitioning). This allows someone that is familiar with that distro to
come in and not be surprised by a completely different file structure.
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
Posted by Justin Pasher <ju...@newmediagateway.com>.
Greg Platt - Platt Consultants wrote:
> Yes, I realize the DocumentRoot location can be changed. Indeed I've already
> changed it with the sites I converted earlier. What I came here hoping to
> find is someone who understands WHY it was changed by Apache to begin with
> and who could explain the implications of changing it in a different way...
> especially since on Debian I can change it from one virtual host to another.
> Frankly, I haven't found anything yet that says there were technological or
> security reasons why Apache made this change. Not even their documentation
> suggests such reasons exist. If the answer is there ARE no specific reasons
> for the change, I'm inclined to ignore it and go with what I already have
> working.
>
In regards strictly to technological or security reason for putting the
DocumentRoot under /var/www, /home/www, or any other directory you like,
there are none. The "default" location for this directory is ultimately
up to the end user. Different Linux distributions will use different
default directories. It's all a matter of what the file/directory name
standard is for that distro. The same goes for the user account used to
run the daemon (www-data for Debian, apache for RedHat based, I believe,
etc).
The security of the directory is only determined by YOU (i.e. how secure
you MAKE it). The apache user (whether it be apache, www-data, nobody,
or any other system user) simply needs execute access on the
DocumentRoot directory (and all parent directories) and read permission
on the files it will be serving. The files themselves do not need to be
owned by the apache user, nor do they need write access, unless you
specifically want this (e.g. a script that allows the user to upload a
file and it's stored in a directory under DocumentRoot). In fact, it can
potentially be a security risk if the files allow the apache user write
access (what happens if someone hacks a script and it attempts to modify
a file on the website?).
In general, I find it best to simply follow the naming conventions of
the distro (you can use symlinks if needed to make it easier for
transitioning). This allows someone that is familiar with that distro to
come in and not be surprised by a completely different file structure.
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Why do I need /var/www as DocumentRoot & www-data as www owner?
Posted by Greg Platt - Platt Consultants <Gr...@ix.netcom.com>.
Thanks for the reply, Brian. Yes, I think I'm fairly familiar with the role
of httpd.conf. It is for example, where the virtual hosts were defined on
RedHat in my earlier version of Linux. In fact I did have an occasional need
to make changes to that file on my old RedHat implementation of Linux.
Perhaps I didn't explicitly point out in my first post that I'm now running
on a server that features Debian Etch. The httpd.conf file in my current
structure arrived 100% empty. In fact, in their 'infinite wisdom', Debian
developers try to steer users away from httpd.conf entirely. Here's a link
to an article that discusses this:
www.control-escape.com/web/configuring-apache2-debian.html
Yes, I realize the DocumentRoot location can be changed. Indeed I've already
changed it with the sites I converted earlier. What I came here hoping to
find is someone who understands WHY it was changed by Apache to begin with
and who could explain the implications of changing it in a different way...
especially since on Debian I can change it from one virtual host to another.
Frankly, I haven't found anything yet that says there were technological or
security reasons why Apache made this change. Not even their documentation
suggests such reasons exist. If the answer is there ARE no specific reasons
for the change, I'm inclined to ignore it and go with what I already have
working.
For the record, I've searched each of the key files in the Debian Apache
Config file structure for the direct counterpart to DocumentRoot. The only
place I find any references to DocumentRoot is in the individual VirtualHost
configuration files I created. I can't find it anywhere else in Debian's
Apache config structure.
That's part of what leaves me confused. I feel like the Connecticut Yankee
in King Arthur's Court here. It's hard to know for sure when you've just
made a quantum leap across hardware generations, software generations AND
Linux versions just how much of the change you're seeing is the result of
the work of Apache developers versus the work product of Debian Developers
who thought they knew a "better way". That's as hard as trying to figure out
where the Camel ate his last meal by examining the straw in a dung pile you
stepped in the desert. ;)
After 40 years in the biz, my first motto is "Do no harm." And my second is
"Do your best to try to understand any harm you MIGHT do." That's why I'm
here looking for guidance.
I agree with you about the need to avoid absolute paths in software setups,
Brian. My sole excuse (and it's a weak one) is often when you buy these
packages they don't offer or suggest pathing alternatives. Instead, they
simply demand "path to sendmail on your server" with (or without) a trailing
slash. Nevertheless, your point is well taken. I promise the next time I run
across the 49 year old version of me dashing up and down the hallways of
time, I'll make it a point to kick his butt for not adequately anticipating
everything that would happen 9 years in the future!
Thanks again for the reply and suggestions, sir. I sincerely appreciate it!
-----Original Message-----
From: Brian Mearns [mailto:mearns@bmearns.net]
Sent: Tuesday, September 02, 2008 1:25 PM
To: gregplatt@ix.netcom.com
Cc: users@httpd.apache.org
Subject: Re: [users@httpd] Why do I need /var/www as DocumentRoot & www-data
as www owner?
Correct me if I'm wrong, but based on the way your message sounds, you
don't appear to have any knowledge of the httpd.conf file? It's the main
configuration file for your server, and it includes a DocumentRoot
directive that allows you to specify the document root. The default may be
/var/www, but you should be able to set it to anything you want. The same
is true for the user and group that apache uses: these can be configured
with the User and Group directives. I personally have no idea about the
security implications of choosing one document root or user/group over
another, but (as I said), it doesn't sound like you realize they can be
changed, so I just wanted to make sure you knew that.
Secondly---and not to be critical, but hopefully constructive---basing
your work on the absolute paths is a common but dangerous mistake. Of
course it's a lot easier but, as you're beginning to see now, it /always/
comes back to bite you in the long run. Not that it does you any good now,
but it's something you'll probably remember in the future.
Best of luck
-Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Why do I need /var/www as DocumentRoot &
www-data as www owner?
Posted by Brian Mearns <me...@bmearns.net>.
Correct me if I'm wrong, but based on the way your message sounds, you
don't appear to have any knowledge of the httpd.conf file? It's the main
configuration file for your server, and it includes a DocumentRoot
directive that allows you to specify the document root. The default may be
/var/www, but you should be able to set it to anything you want. The same
is true for the user and group that apache uses: these can be configured
with the User and Group directives. I personally have no idea about the
security implications of choosing one document root or user/group over
another, but (as I said), it doesn't sound like you realize they can be
changed, so I just wanted to make sure you knew that.
Secondly---and not to be critical, but hopefully constructive---basing
your work on the absolute paths is a common but dangerous mistake. Of
course it's a lot easier but, as you're beginning to see now, it /always/
comes back to bite you in the long run. Not that it does you any good now,
but it's something you'll probably remember in the future.
Best of luck
-Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org