Web server security: file permissions
Joris Dobbelsteen
joris at familiedobbelsteen.nl
Wed Jun 25 19:49:35 UTC 2008
Dear,
I'm rebuilding my web server and (finally) moving to a newer
configuration that should finally bring some more decent security and
performance. However there are quite a few questions I have left and I
have trouble finding information about. Hopefully some knowledgeable
people can give me the practical information about this...
From a lot older mail I got this advice ("Server hacked" thread at 1 &
2 january 2008):
Res wrote:
> On Wed, 2 Jan 2008, Joris Dobbelsteen wrote:
>> At least there are some lessons in this:
>> * Use one-user-per-website only (easier auditing).
>
> Good idea...
>
> Dirs should be 710 for htdocs root
> eg: chmod 710 /var/www/vhosts
> chmod 710 /var/www/vhosts/example.com
> chmod 710 /var/www/vhosts/example.net
This would imply that
- user can do anything
- group can enter the directory (and nothing more?)
> Ensure the users who own those domains are the only ones with access,
> except group must be web server.
> eg: chown -R jack.apache /var/www/vhosts/example.com
> chown -R jill.apache /var/www/vhosts/example.net
/var/www/vhost/example.com 755 user:user
/var/www/vhost/example.com/cgi-bin 555 user:user
/var/www/vhost/example.com/htdocs 750 user:apache
In this case I'm puzzled how:
* apache, as the user is capable of actually reading htdocs.
> Use suexec in every virtualhost block in Apache
> eg: SuexecUserGroup jack apache
I didn't do this, instead I did SuexecUserGroup user user
If I do "SuexecUserGroup user apache", how does this isolate the
different users? As apache web server is capable of reading (through
group permissions), so should the user? Or what am I missing?
Any help, hints, pointers and good advice for this?
- Joris
More information about the ubuntu-users
mailing list