Hi everyone
I've tinkered with Linux for a couple of years (primarily live CDs) and thought it was about time that I did something useful and "serious" for myself and work colleagues. I've set up a 32-bit CentOS 6.5 VM in VirtualBox with LAMP so I can use my PHP/MySQL skills. I set this all up just before CentOS 7 came out and will consider moving in that direction in due course.
I have the root user and a standard user with which I log in but use "su -" when required. SELinux is enabled, enforcing and targeted.
At present, it's all a local configuration but, in due course, I'm likely to upload to a hosted site and I know that security is going to be vitally important. I've noticed something about the Apache installation which confuses me and I don't know if it's something that I've done incorrectly or I've just misunderstood:
In httpd.conf, it states "User apache" and "Group apache" and, as far as I understand, that's the user/group under which httpd is running.
When I navigate to /var/www and run ls -la, it shows me that the /html/ folder has permissions 755 and the owner is root root.
I created a simple info.php file in /var/www/html and it's permissions/owner are 644 and root root (not unexpected, given the permissions/owner of the parent folder).
I can navigate to info.php without any errors.
I realise that root has overall control and access so assume that this is the reason why I didn't see any errors, but I'm surprised that /var/www/html/ doesn't have apache apache as the owner and group. I've tried to see if root user is a member of apache group but I've drawn a blank.
Question 1: Why is the owner root root rather than apache apache?
I plan to configure VirtualHosts with DocumentRoots at /var/www/html/site1, /var/www/html/site2 etc. If the situation that I am seeing is entirely expected,
Question 2: Should I change the owner of /site1 and /site2 to be user:webadmin1, group:apache and user:webadmin2, group:apache respectively?
Finally, I plan to configure vsftpd with users webadmin1 and webadmin2 so they can use FileZilla to upload their files.
Question 3: Is this a good approach?
Thanks for your time and patience and apologies as I'm sure this is a really noob series of questions!
Owner of /var/www/html and subfolders
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Owner of /var/www/html and subfolders
The reason the files are owned by root and not apache is security.
You don't want anyone who gains access through an http exploit to be able to modify your site.
You don't want anyone who gains access through an http exploit to be able to modify your site.
Re: Owner of /var/www/html and subfolders
The directory is owned root:root so that no-one except root can write to it. The httpd process runs as user apache and has read access to the directory and files by means of the "other" permissions - the xx5 and xx4 in 755 and 644. This means that anyone who can subvert apache and gain access to it cannot write to the docroot since they are not root and the user they effectively run under is apache. They can't amend your existing files nor can they write new ones.
If you leave your docroot as /var/www/html then your sites will be http://servername1/site1/ and http://servername2/site2/ so users of site2 could change the url displayed and get to site1's content. I prefer to use virtual hosts and create my sites under /var/www/site1 and /var/www/site2 and then they are not directly under the default server's docroot and you can't get from one to the other so easily.I plan to configure VirtualHosts with DocumentRoots at /var/www/html/site1, /var/www/html/site2 etc.
No. If you need to have write access via a different userid than root then leave the files/directories owned by root and use a different group. Put your ftp user in that group but do not add the apache user, leave that having readonly access via the "other" permission settings.Question 2: Should I change the owner of /site1 and /site2 to be user:webadmin1, group:apache and user:webadmin2, group:apache respectively?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Owner of /var/www/html and subfolders
I'm very grateful for your prompt replies and the "Eureka" moment that they gave me!
Now I appreciate my confusion was the relationship between the apache user and the httpd process and between the apache process and the files on the web server. The apache user only needs read access to the files and that is as "other" user. When Joe Public accesses my website, the httpd process running as apache is responsible for interrogating the files and sending them to the client browser, so this should have access which is "lowest of the low".
I'll implement the system of files being owned by root user and a "webadmin" group and then I'll put the developers into the "webadmin" group with read/write access. Finally, I realise that folders also need the execute permission to allow access to their contents.
Now I appreciate my confusion was the relationship between the apache user and the httpd process and between the apache process and the files on the web server. The apache user only needs read access to the files and that is as "other" user. When Joe Public accesses my website, the httpd process running as apache is responsible for interrogating the files and sending them to the client browser, so this should have access which is "lowest of the low".
I'll implement the system of files being owned by root user and a "webadmin" group and then I'll put the developers into the "webadmin" group with read/write access. Finally, I realise that folders also need the execute permission to allow access to their contents.
Re: Owner of /var/www/html and subfolders
A lot of content management systems will need to have apache be able to wrx on some folders and files, Joomla being one of them. I've been assigning the group as apache group for this, leaving owner as root. Might not be the best of security, but I don't know of a better way.