LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   apache doc root ownership (http://www.linuxquestions.org/questions/linux-software-2/apache-doc-root-ownership-459276/)

lt_wentoncha 06-28-2006 07:13 PM

apache doc root ownership
 
Hi all,

So, the owner:group of my apache root folder is apache2:www. How should I go about securing the root folder? I ran passwd on apache2 and changed the password...is it safer to have that account disabled? What type of security regimen should I employ when logging into the doc folder?

Thanks again for the help.

cdhgee 06-30-2006 09:23 AM

It depends on your intentions. The password of the account used to run apache is irrelevant because if it's been set up correctly that account shouldn't be configured for interactive access, and the apache process will be started by root using setuid. As long as the apache account has either owner or group read access to the doc root, you should be fine, and you can remove access from other users entirely.

Of course, you may want to have some users to have access to the docroot so they can maintain the website...

lt_wentoncha 06-30-2006 04:04 PM

Quote:

Originally Posted by cdhgee
It depends on your intentions. The password of the account used to run apache is irrelevant because if it's been set up correctly that account shouldn't be configured for interactive access, and the apache process will be started by root using setuid. As long as the apache account has either owner or group read access to the doc root, you should be fine, and you can remove access from other users entirely.

Of course, you may want to have some users to have access to the docroot so they can maintain the website...

Hmmm, did I mess it up by assigning in it a password? It wasn't my intention to access the folder as apache2, but as some other account.

Thanks.

cdhgee 06-30-2006 04:54 PM

No, it just doesn't matter whether it has a password or not because the password is never used.

If you want to control what users can access the docroot folder, the best way is to set it up as follows:

set the owner to be apache2, and run httpd under the apache2 account. set permissions for the owner to r-x
set the group to be www, and add users who you want to allow to modify the docroot & its contents to this group. set permissions for the www group to rwx
set the permissions for all others to be r-x or --- depending on your preference

thus you should end up with

Code:

dr-xrwx--- apache2 wwww        mydocroot
or something similar.


All times are GMT -5. The time now is 11:22 PM.