[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Web Server document permissions

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Web Server document permissions
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Thu, 13 Nov 2003 18:25:02 +0000
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

And Lo! The Great Prophet Ashe uttered these words of wisdom:
> 
> On my server, the web directory (/var/www/html) is owned by root and under 
> root group, which means that any time I want to alter the webpages, I have to
> create everything, upload it somewhere else, then su into root and copy 
> across, which seems like a very cumbersome way of going about it. Are there 
> any ways that this can be stepped around without it being too insecure?
> 

I tend to have two users for web stuff, and one group:

	wwwrun and wwwadmin - wwwrun used by webserver (a non-login account)
		and wwwadmin owns the directories for the DocumentRoot (i.e.,
		in your case /var/www/html)

and the group:
	wwwrun - which is the group that Apache runs as, and also is the
		group the directories under DocumentRoot are owned by.

This way, I have a dedicated account for the webserver, seperate from 
nobody, root, users etc, and can lock DocumentRoot down to permissions 
o-rwx (i.e., webserver needs gorup read permissions).

So in httpd.conf,
	User	wwwrun
	Group	wwwrun

and for document root (taking your directory):
	chown -R wwwadmin:wwwrun /var/www/html
	chmod -R o-rwx /var/www/html

and that locks it down quite nicely. You could use whatever owner you want 
for DocumentRoot - I tend to like to put a seperate one aside, then scp in 
as that user to copy stuff (scp files wwwadmin [at] remoteserver:/var/www/html)

Alternatively, you could do this:

	chown -R wwwadmin:wwwadmin /var/www/html
	chmod -R g+rwx,o+rx /var/www/html

and create a group wwwadmin. Then, anyone that needs to write to /var/www/
html just needs to be in the wwwadmin group. The webserver runs as group 
wwwrun, so you need to have global-read permissions on the directories and 
files at and under /var/www/html.

Any help?

Chris...

-- 
\ Chris Johnson                 \ NP: Inkubus Sukkubus - 01. Supernature
 \ cej [at] nightwolf.org.uk          \  
  \ http://cej.nightwolf.org.uk/  \ 
   \ http://redclaw.org.uk/        ~---------------------------------------



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] Web Server document permissions
  - From: Ashe

Prev by Date: Re: [Sheflug] Web Server document permissions
Next by Date: Re: [Sheflug] Fax server
Previous by thread: Re: [Sheflug] Web Server document permissions
Next by thread: [Sheflug] Linux Dual/Multi Booting Using NTLDR
Index(es):
- Date
- Thread