[sllug-members]: HTTP Directory Permissions Best Practices
Jeff Schroeder
jeff at zingstudios.net
Tue Sep 19 09:51:23 MDT 2006
Mike asked:
> Who should be the owners of those directories? What is the best idea
> for permissions? Many of the directories are owned by root, and
> readable by my apache user, but now that I am attempting to set up a
> CMS, apache also needs to write to them.
As you've discovered, things get a little trickier when you have files
that you want to be able to change, and *also* have Apache change. I
don't know what the "best practices" are, but here's how I handle it.
My user "jeff" is in group "users".
The Apache user "nobody" is in group "nobody".
My /home directory is chmod 705, which means it's writeable to me,
invisible to anyone else in the "users" group, and readable to Apache.
That's important because obviously Apache needs to be able to access
the files to serve them.
My web site files are all owned by me and chmod 644, so they're
writeable to me only (not Apache).
If Apache needs to be able to create files (e.g., a CMS that allows the
user to upload images or documents), I have a separate directory that's
owned by me but chmod 777 so it's writeable by Apache. The uploaded
files are stored there, and the web site links to it to serve the
files.
I've found this to be acceptable-- it gives me ultimate control over the
files, but also permits Apache to do what it needs to do. There are
probably some more paranoid security things I could do if I sat down to
ponder it, but I haven't had any problems with this setup.
HTH,
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://sllug.org/pipermail/sllug-members/attachments/20060919/8eb9508e/attachment.pgp
More information about the sllug-members
mailing list