NYCPHP Meetup

[nycphp-talk] Webserver file access

Kenneth Dombrowski kenneth at ylayali.net
Fri Aug 17 20:36:49 EDT 2007


On 07-08-17 14:25 -0400, Anthony Wlodarski wrote:
> Let us talk about theoretical here.  If the owner of the web root folder is
> "root" (/var/www/html), should it be changed to the Apache group that is
> created normally.  I did a few checks in the /etc/group file and the apache
> group does exist as well my account on the box is part of that group, should
> the web root group be changed apache to make sure that only users of the
> Apache group have controls?

generally, you only want the apache user to have read access to your
files, and read + traverse (execute) access to your directories, the
exception is cgi scripts & the like, where it also needs +x on files

i tend to leave /var/www/html alone because if you use a package
manager, it will think it owns it (it is where it puts the
"congratulations, apache works!" page).  in my /var/www root also owns
the default webalizer directory & a bunch of other installed apps 

for user-installed sites, i always use VirtualHosts, and i always create
a custom user and group to own them, for the access control benefits i
described.  most distros make this easy by including /etc/httpd/conf.d/*
from the system-installed httpd.conf  





More information about the talk mailing list