apache security
 

I am running Fedora Core 3. This is my first time posting a question here. i have installed apache2/php5/mysql5. I guess I was hoping someone could give me a basic rundown of permissions. I am going to have one site on the system. I made a group of users called ftp-users. i want the ftp users to have permissions to write files via ftp to the DocumentRoot (/var/www/html) directory. But I don't want to compromise security on my DocumentRoot for web server stuff. What should my permissions on the DocumentRoot be? Maybe I should ask this. If you were to set up an apache server to serve one site, what would your permissions be on the DocumentRoot for maximum security and still allow php scripts to run? Would it be easier for me to set permissions if i did use a folder within the DocumentRoot to store my html and php files in? Any help would be greatly appreciated. Thanks. :D

Yeah, you can create a directory called cgi-bin somewhere under your document root and put all your php scripts in this directory. There are directives you can set in your config file that will enable execution of these scripts for that directory. This way, you dont have rogue php scripts all over the place.

If you're running with apache/apache as the user/group, then you can chmod your scripts to 700 or 755... really as long as you don't use a 7 in the second or third digit, you're probably ok.

If you start adding user accounts to your system and adding more websites in the future, then you should think about running with suexec and maybe tighten up the permissions a little more.

thanks for the reply
 

okay, so what would be the best permissions for the documentroot itself? don't mean to ask dumb questions. but whenever i change permissions on the document root, it seems i cannot create folders and stuff with dreamweaver, via ftp connection, in the document root.

755 is safe enough for that level.

thanks again
 

i will test. i totally appreciate your prompt replies bro.

new issue
 

okay, so i change the premissions to 755 for the documentroot. now the ftp users cannot make directories in there with dreamweaver. so now under the document root i should create another folder to house my php pages and stuff? and give the group i want to allow write access ownership of that directory? and modify those permissions accordingly while leaving the docroot 755? like i said, i don't mean to be a pest, but want to make sure i learn this so in the future i don't have to post here about it again.

It's OK to make all of the subdirectories under your document root chmod 755. I assume the problem you are having is... each FTP user is logging in as a different username. The directories you have under your document root are probably owned by the "apache" user and since they only allow write access to the owner, the FTP users are not allowed to write into these directories.

One solution is to make all of your FTP users logging in as the same User account and then chown everything under your document root to that user.

Another solution is to have all of your FTP users part of the same group and then give all your directories write access for the group. So you'd use chmod 775 instead for all your folders. This means your security is getting more relaxed.

The other solution is to have everyone logging in as the apache user, which isn't very good either, but I can see no other way of doing it.

I'd be careful anyway about allowing a whole bunch of users to login to the same website. Remember the old saying... Too many cooks spoil the broth. Its easy for them to walk all over each other when 2 (or more!) users are logged in at the same time and manipulating files.

hey thanks
 

yeah, i checked and noticed my reply didn't get posted. yeah i had that problem and pulled my head out and thought about it and figured it out about the time i got your reply. anyway thanks man. it is for development so i think i will do the 775, then secure it up when the app is finished. thanks again for getting back to me so fast. that was awesome bro.