Web server security: file permissions
Carl Friis-Hansen
ubuntuuser at carl-fh.com
Wed Jun 25 21:25:38 UTC 2008
Joris Dobbelsteen wrote:
> <snip>
> > Dirs should be 710 for htdocs root
> > eg: chmod 710 /var/www/vhosts
> > chmod 710 /var/www/vhosts/example.com
> > chmod 710 /var/www/vhosts/example.net
>
> This would imply that
> - user can do anything
> - group can enter the directory (and nothing more?)
>
> > Ensure the users who own those domains are the only ones with access,
> > except group must be web server.
> > eg: chown -R jack.apache /var/www/vhosts/example.com
> > chown -R jill.apache /var/www/vhosts/example.net
>
> /var/www/vhost/example.com 755 user:user
> /var/www/vhost/example.com/cgi-bin 555 user:user
> /var/www/vhost/example.com/htdocs 750 user:apache
>
> In this case I'm puzzled how:
> * apache, as the user is capable of actually reading htdocs.
>
> > Use suexec in every virtualhost block in Apache
> > eg: SuexecUserGroup jack apache
> </snip>
It will work. Directories need bit 0 set (x) for both user(owner) and
web server(group) so that both fellows can get into these. Only owner
needs to write - normally. Give write permission to web server(group) in
cases like log files and directories where people can upload pictures or
other files. Meke sure the FTP server sets user:www-data and 640 for all
files.
I have a https web page where my users can login and change permissions
on all files below their document root, exept for the logs directory.
--
+---------------------------------+-------------------+
| Carl Friis-Hansen | Fiskeryd Nybygget |
| http://computingconfidence.com/ | 341 91 Ljungby |
| Phone: +46 (0)372 15033 | Sveden |
+---------------------------------+-------------------+
More information about the ubuntu-users
mailing list