Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At the present time, my /var/www folder is owned by root.
/var/www/html is the web facing folder.
Should this be owned by a different user like webserver or something else?
apache maybe?
apache:x:48:48:Apache:/var/www:/bin/false
Who should own the other folders like cgi-bin etc?
[root var]# cd www
[root www]# ls -l
total 52
drwxr-xr-x 2 root root 4096 Feb 7 2010 cgi-bin
drwxr-xr-x 3 root root 4096 Aug 20 2009 error
drwxr-xr-x 3 root root 4096 Aug 20 2009 htdocs
drwxr-xr-x 2 root root 4096 Apr 6 09:50 html
drwxr-xr-x 3 root root 4096 Dec 1 00:03 icons
drwxr-xr-x 14 root root 4096 Aug 20 2009 manual
drwxr-xr-x 2 webalizer root 4096 Dec 2 00:00 usage
Last edited by qwertyjjj; 04-06-2011 at 03:55 AM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
The ownership for /var/www and the normal directories within is root:root. What you gave us for output of ls -al is correct. May I ask why you are asking? Are you running into any problems?
The ownership for /var/www and the normal directories within is root:root. What you gave us for output of ls -al is correct. May I ask why you are asking? Are you running into any problems?
No problems, I just thought it was strange. If all the files in /vaw/ww/html (eg index.php) have root ownership, doesn't that allow a hacker to run web hacks through root?
If the files were owned by apache then that wouldn't be possible.
Secondly, what is webalizer? I see that webalizer owns the usage folder.
And for your first question, you don't need to worry. Apache runs with apache ownership; you can not write to the files/directories by default, unless you specifically set up the permissions to allow writing, which would be very dumb....
/var/www and all it files/subdirectories should be owned by the user and group that runs apache (apache:apache for example)!!
Every single default install of apache, either from source packages or coming with a distro, always had root:root ownership for /var/www/html and such. So you are saying that it is all wrong?
And for your first question, you don't need to worry. Apache runs with apache ownership; you can not write to the files/directories by default, unless you specifically set up the permissions to allow writing, which would be very dumb....
So, if someone managed to hack into a webage through SQL injection or other then any files created would automatically have apache ownership?
I turned on safe mode so in theory that should prevent anything bad running.
So then it's more about securing up the permissions then, correct?
Yes it is.
Quote:
Every single default install of apache, either from source packages or coming with a distro, always had root:root ownership for /var/www/html and such. So you are saying that it is all wrong?
That is true, although I don't understand this default approach. It is not necessarily "wrong", but from a security point of view it is not "optimal".
The -g 25 and -u 25 sets the gid and uid, check to see if these are not used. If they are used look for a free number that is lower then 500.
I'm not sure if the usage directory should be owned by webalizer instead of apache. You can always exectute the following if this is the case:
Code:
chown -R webalizer:apache /var/www/usage
Start apache.
Hope this helps.
Thew conf had this already:
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User apache
Group apache
Should be enough?
What about the cgi-bin? I don't use cgi, is there even a need for cgi in today's server side coding?
So, is it best to delete the cgi folder?
Anyway, the whole /var/www folder is owned by apache now and the httpd service seems to be running correctly.
@druuna, would you please clarify something that I am conceptually missing from your advice. If I read your post correctly, you are advocating making the web files owned by the Apache process. My understanding is that should Apache become compromised by an intruder, that these files by being owned by this process would be modifiable by whomever took control of the process. From my recollection, setting a false login shell does not prevent this as many processes have been locked out of login, but update (write) to files. This seems like it would be exceedingly dangerous. By making the files owned by root, an intruder would need to gain root privilege in order to modify the content.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.