Re: [Hampshire] Apache web root permissions

Top Page

Reply to this message
Author: Adrian Bridgett
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] Apache web root permissions
On Fri, Nov 27, 2009 at 10:47:28 +0000 (+0000), Stephen Nelson-Smith wrote:
> I have a site running drupal. The apache user therefore needs to be
> able to write certain files (CSS files for example).


Hmm - I don't need much for my drupal install FWIW - just "files".
Install of my (updated Drupal 6.14 packages for Ubuntu 8.04 from my site at
http://bitcube.co.uk/content/packages) hence www-data not apache.

$ find /usr/share/drupal6/ ! -user root
(nothing)

$ ls -l /usr/share/drupal6/sites/default/
total 16
-rw-r--r-- 1 root root       36 2009-03-26 10:24 baseurl.php
-rw-r----- 1 root www-data  536 2009-09-21 21:20 dbconfig.php
lrwxrwxrwx 1 root root       22 2009-03-26 09:48 files ->
/var/lib/drupal6/files
-rw-r--r-- 1 root root     6131 2009-03-26 09:19 settings.php


ls -l /var/lib/drupal6/
total 8
drwxr-xr-x 2 root     root     4096 2009-03-01 18:06 backups
drwxr-x--- 6 www-data www-data 4096 2009-09-16 18:23 files



> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
>
> What is the most secure way to implement this?
>
> I am thinking:
>
> chown -R root:apache /var/www/html
> chmod -R 0750 /var/www/html
> chown apache:apache for where need to write


Seems sensible to me - files owned by root as far as possible so any
apache process can't change them, then apache where you need it.

Adrian
--
bitcube.co.uk - Linux infrastructure consultancy
Puppet, Debian, Red Hat, Ubuntu, CentOS, ...