|
Uncomfortable security issues with Apache Folder Tree
I'm using Fedora Core 3. But my concern flows way ahead any Fedora distribution (perhaps any distro around)...
I'm using Mantis, a PHP web based bugtracker at home as a task manager and it works really fine. The problem is that the whole folder tree is readable/writable/executable to all users on the system... drwxrwxrwx mantis/ It has a lot of configs inside it's folder wich has passwords etc. The files are readable/writable/excutable too, to all users on the system. If I disable rwx permissions for other users (not root), things start to go wrong. If I disable those permissions to the folder, things start to go wrong too... The same things happen to the phpmyadmin folder inside apache... By the way, the tree works like this: mantis = /var/www/html/mantis phpmyadmin = /var/www/html/phpmyadmin How can I overcome this problem? Is Apache meant to be a "one and only user" machine (root)? What if I have a multiuser machine? |
I run my Apache as user:group apache:apache and all of the files under /var/www are owned by apache:apache. rwx permissions are 000 for others, only the apache user and apache group members can access the directory structure.
I'm not running the same apps you are, but it should work since I have read/write access to the required files and directories while not allowing other users access to anything under /var/www Hope that helps - or at least starts some debate... :) |
Worked perfectly! :)
|
| All times are GMT -5. The time now is 07:19 AM. |