Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On most systems, Apache is installed to run as user nobody and group nobody. Or user httpd and group httpd. Or something along those lines. This prohibits us from leaving files for our website with 700 permissions, correct? (Apache must be able to read those files) However, this means that all users on the system can also read those files. What can be done to mitigate this risk? For example, php scripts often have mysql usernames and passwords in them. How can I allow apache access without destroying security? Are ACLs the only effective option?
You could change the group of the files to the group of the httpd user (i.e. nobody or httpd); and then give 750 (or 640) permissions. Hopefully, no regular users will be in that group.
Alternately (but less good), you can create a group that all users are in (e.g. "users") and change the group of the files to that group and then give 705 (or 604) permissions.
Also, for security, when Apache doesn't need to list a directory (e.g. to create an index when there is no index.html), you should not give it read permission to that directory. Execute permission is sufficient for it to access the files underneath without allowing it to list the directory.
I think your description of read/execute on directories is backwards, but I may be wrong. I'll double check later.
Additionally, I think 705 would still give all users permission to read, through the "other" value. Again, I could be wrong, but it would be logical.
chgrp returns "Permission denied" when chgrpping to nobody, so I'm not sure that avenue is possible.
This isn't critical, but just a matter of curiousity that one would think would've been more explored before now with the ubiquity of the apache server.
"chgrp" only allows you to change to a group of which you are a member (and I wouldn't think you are in nobody), so you probably have to do it as root.
As an alternative, you can create another group (e.g. "www") and put "nobody" and you in it and use that. The advantage of this is that you can allow other people to access the files by putting them in this group.
By web users I just meant the people who need to adminstrate your PHP scripts and stuff (which is probably just you). Other users don't need access to it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
