[lug] Fun with Apache
Hugh Brown
hugh at math.byu.edu
Thu Dec 30 19:37:19 MST 2004
On Wed, 2004-11-17 at 13:38 -0700, Matt Thompson wrote:
> On Wed, 2004-11-17 at 20:40 +0100, rm at fabula.de wrote:
> > On Wed, Nov 17, 2004 at 08:55:10AM -0700, Matt Thompson wrote:
> > >
> > > #!/bin/bash
> > > yum check-update
> > > yum --rss-filename=/var/www/html/yum-rss.xml generate-rss updates
> > > chown apache.apache /var/www/html/yum-rss.xml
> > >
> > > Of course, this is just a rough simple script from an F95 man that will
> > > probably kill PID 1 given a chance. What do the BLUG gurus say on the
> > > matter of security (or script design).
> >
> > IANAG but i tend _not_ to give my data to the user the webserver is
> > running as. The server only ever needs read permissions to server
> > the data (unless we're talking about mod_dav, but that's a different
> > story). If you chown instead of chmod then, in case of an apache break
> > in, your data can be compromised.
>
> OK. Like I said, in the squirrelmail and subversion setups, they always
> said to make all the files owned by www or apache. So, I followed that.
> But, it's simple enough to remove that.
>
> Thanks,
> Matt
I think what Ralf is getting at is that often the server just needs read
access to various files, but not write access. In the case of
subversion and squirrelmail, there are times when the server needs to be
able to write. Typically, you try and keep those areas separate and
give just enough permissions to do the job and no more.
Sometimes you can get by with putting the server user (apache in this
case) in a group and then giving the group read permissions (with a
chmod and a chgrp).
Hugh
More information about the LUG
mailing list