Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

chown -R apache:apache for web directory

Status
Not open for further replies.
apachenewby

apachenewby

MIS
Joined
Aug 23, 2006
Messages
13
Location
US
If apache is running under user apache group apache and if the ownership of all web directories /var/ are changed from root:root to apache:apache by chown -R apache:apache /var/ does it mean that the users visiting the website will assume the rights of the user apache and end up having full rights to the web directories and files? So it's a major security risk?

Thanks.
 
Sort by date Sort by votes
Well, the answer is "kind of". First, there is another element to the question of "rights". The attributes on the files and folders. These attributes control what any local user account (or group) can do within the filesysytem itself.

If a file looks like this:

--r--r--r apache.apache index.html

Then, the apache user and apache group and every other local system user can READ that file, and nothing more.

--r--r--- apache.apache index.html

Now the apache user and apache group are the ONLY non-root users who can read the file!

The difference between these is "chmod 444" vs "chmod 440"

It obviously goes on from there to extend Read, Write, and Execute priviledges on files.

Folders require the Execute priviledge to read from within them.

So that determines what a local user can do from a console or FTP client (and a few other ways).

NOW, once Apache takes control of what is exposed to Browser-based users, you have additional controls to prevent or authorize access to files...

DirectoryIndex creates a way to ensure that a file like "index.html" or "index.php" or "foo.bar" is always regarded as something the Apache server should render if a web folder is specified.

This is why returns the result from "index.php" and DOES NOT display a file folder list. If you remove "index.php" and you have no other files present that are defined as DirectoryIndex, then Apache WILL display the folder listing. HOWEVER, this generally does not mean that someone will be able to view your code.

You can go on from here with other Apache controls in .htaccess files and such.

An easy way to compromise yourself and/or Apache is to run untested or untrustworthy scripts. This is generally the way your Apache gets hacked. But this would be of your own carelessness, not by Apache's default posture towards security.

Whew...

I think the message I'd close with is that Apache essentially runs the Internet (as measured by web servers). Just like many things related to "security", the security of your system requires some educated effort and an understanding of the risks you can tolerate.

You can lock down your Apache to where it's so secure that nothing can get out, but then that's not very useful.

There are PLENTY of "how to secure Apache" web pages and books out there. This has all been said before.

Good luck!





D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Thank you for the information.
If the directory/file permissions are 755 and the owner:group is apache:apache then do the users visiting the site sssume the rights of apache user or others?
So if owner:group is apache:apache and permissions are rwxr-xr-x then are the website visiting users given rwx or r-x?
 
Upvote 0 Downvote
They are NOT given any permissions per se.
Apache controls it. If you enable a module in Apache that functions like an FTP server (or you run a real FTP server) then you are going to have some impact around what the user can read/write.

Remember, the browser experience is client engine to server engine. Server engine needs permissions to perform it's functionality, but those permissions are not given to the client. The client receives content.

You seem to be asking a question that isn't the real question. Are you worrying about web content, or FTP, or DOM, or samba, or what?

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
I was concerned that if the users would assume the rights of apache then changing the ownerwhip to apache would be a security issue. Wasn't sure how it worked.
As long as the permissions are not given to the client, we should be good.

Thanks!
 
Upvote 0 Downvote
Keep in mind that if you chown apache's entire web space, then the admins of each domain could not upload files to their website because it is owned by apache. You would have to give apache a password so folks could su to user apache. This would be no way to run a server. Even if you are the only one who has access to the websites, why would you pass ownership to a user with no shell or ftp access or any login at all for that matter?

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question Question
Rewrite Rule for .htaccess Help
Replies
0
Views
638
Krus1972
Krus1972
SamBones
  • Locked
  • Question Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
2K
gbaughma
gbaughma
krabban
  • Locked
  • Question Question
Dirvish for backup
Replies
0
Views
555
krabban
krabban
MCP2000
  • Locked
  • Question Question
CentOS 6.9, LDAP, Vault, Active Directory
Replies
0
Views
355
MCP2000
MCP2000
msk69
  • Locked
  • Question Question
Format Conversion query
Replies
6
Views
781
MBTC
MBTC

Part and Inventory Search

Sponsor

Back
Top