LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-06-2011, 03:51 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Rep: Reputation: 30
which user should own /var/www


At the present time, my /var/www folder is owned by root.
/var/www/html is the web facing folder.
Should this be owned by a different user like webserver or something else?
apache maybe?
apache:x:48:48:Apache:/var/www:/bin/false

Who should own the other folders like cgi-bin etc?

[root var]# cd www
[root www]# ls -l
total 52
drwxr-xr-x 2 root root 4096 Feb 7 2010 cgi-bin
drwxr-xr-x 3 root root 4096 Aug 20 2009 error
drwxr-xr-x 3 root root 4096 Aug 20 2009 htdocs
drwxr-xr-x 2 root root 4096 Apr 6 09:50 html
drwxr-xr-x 3 root root 4096 Dec 1 00:03 icons
drwxr-xr-x 14 root root 4096 Aug 20 2009 manual
drwxr-xr-x 2 webalizer root 4096 Dec 2 00:00 usage

Last edited by qwertyjjj; 04-06-2011 at 03:55 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 04-06-2011, 04:20 AM   #2
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
The ownership for /var/www and the normal directories within is root:root. What you gave us for output of ls -al is correct. May I ask why you are asking? Are you running into any problems?
 
Old 04-06-2011, 04:29 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by corp769 View Post
The ownership for /var/www and the normal directories within is root:root. What you gave us for output of ls -al is correct. May I ask why you are asking? Are you running into any problems?
No problems, I just thought it was strange. If all the files in /vaw/ww/html (eg index.php) have root ownership, doesn't that allow a hacker to run web hacks through root?
If the files were owned by apache then that wouldn't be possible.

Secondly, what is webalizer? I see that webalizer owns the usage folder.
 
Old 04-06-2011, 04:35 AM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,

I do not agree with corp769's answer.....

/var/www and all it files/subdirectories should be owned by the user and group that runs apache (apache:apache for example)!!
 
Old 04-06-2011, 04:35 AM   #5
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
http://www.mrunix.net/webalizer/
Webalizer is a log analysis program. Check out all the files in the usage directory

And for your first question, you don't need to worry. Apache runs with apache ownership; you can not write to the files/directories by default, unless you specifically set up the permissions to allow writing, which would be very dumb....
 
Old 04-06-2011, 04:39 AM   #6
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Quote:
Originally Posted by druuna View Post
Hi,

I do not agree with corp769's answer.....

/var/www and all it files/subdirectories should be owned by the user and group that runs apache (apache:apache for example)!!
Every single default install of apache, either from source packages or coming with a distro, always had root:root ownership for /var/www/html and such. So you are saying that it is all wrong?
 
Old 04-06-2011, 04:45 AM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by corp769 View Post
http://www.mrunix.net/webalizer/
Webalizer is a log analysis program. Check out all the files in the usage directory

And for your first question, you don't need to worry. Apache runs with apache ownership; you can not write to the files/directories by default, unless you specifically set up the permissions to allow writing, which would be very dumb....
So, if someone managed to hack into a webage through SQL injection or other then any files created would automatically have apache ownership?
I turned on safe mode so in theory that should prevent anything bad running.
 
Old 04-06-2011, 04:50 AM   #8
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
http://httpd.apache.org/docs/1.3/mis...rity_tips.html

Kind regards
 
Old 04-06-2011, 04:55 AM   #9
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Quote:
Originally Posted by repo View Post
So then it's more about securing up the permissions then, correct?
 
Old 04-06-2011, 05:26 AM   #10
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,
Quote:
Originally Posted by corp769 View Post
So then it's more about securing up the permissions then, correct?
Yes it is.

Quote:
Every single default install of apache, either from source packages or coming with a distro, always had root:root ownership for /var/www/html and such. So you are saying that it is all wrong?
That is true, although I don't understand this default approach. It is not necessarily "wrong", but from a security point of view it is not "optimal".
 
Old 04-06-2011, 07:16 AM   #11
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
So, I should change /var/www to apache:apache ?
or just /var/www/html ?
 
Old 04-06-2011, 07:33 AM   #12
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,

Assuming apache is not running.

You probably need to do 2, maybe 3 things:

1) Change owner:group of the /var/www directory and its content:
Code:
chown -R apache:apache /var/www
2) Change the user and group that apache server runs as in your httpd.conf file:
Code:
<IfModule !mpm_netware_module>
  User apache
  Group apache
</IfModule>
3) The user and group used in step 2 should already exist, create both if they don't:
Code:
groupadd -g 25 apache
useradd -c "Apache Server" -d /dev/null -g apache -s /bin/false -u 25 apache
The -g 25 and -u 25 sets the gid and uid, check to see if these are not used. If they are used look for a free number that is lower then 500.

I'm not sure if the usage directory should be owned by webalizer instead of apache. You can always exectute the following if this is the case:
Code:
chown -R webalizer:apache /var/www/usage
Start apache.


EDIT: See post #15 and onwards.

Hope this helps.

Last edited by druuna; 04-06-2011 at 10:13 AM. Reason: Info is wrong!
 
Old 04-06-2011, 08:00 AM   #13
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,013

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by druuna View Post
Hi,

Assuming apache is not running.

You probably need to do 2, maybe 3 things:

1) Change owner:group of the /var/www directory and its content:
Code:
chown -R apache:apache /var/www
2) Change the user and group that apache server runs as in your httpd.conf file:
Code:
<IfModule !mpm_netware_module>
  User apache
  Group apache
</IfModule>
3) The user and group used in step 2 should already exist, create both if they don't:
Code:
groupadd -g 25 apache
useradd -c "Apache Server" -d /dev/null -g apache -s /bin/false -u 25 apache
The -g 25 and -u 25 sets the gid and uid, check to see if these are not used. If they are used look for a free number that is lower then 500.

I'm not sure if the usage directory should be owned by webalizer instead of apache. You can always exectute the following if this is the case:
Code:
chown -R webalizer:apache /var/www/usage
Start apache.

Hope this helps.
Thew conf had this already:
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User apache
Group apache


Should be enough?

What about the cgi-bin? I don't use cgi, is there even a need for cgi in today's server side coding?
So, is it best to delete the cgi folder?
Anyway, the whole /var/www folder is owned by apache now and the httpd service seems to be running correctly.
 
Old 04-06-2011, 08:10 AM   #14
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,
Quote:
Originally Posted by qwertyjjj View Post
Thew conf had this already:
# User/Group: The name (or #number) of the user/group to run httpd as.
#
User apache
Group apache


Should be enough?
If those are already there: Leave it as is.

Quote:
What about the cgi-bin? I don't use cgi, is there even a need for cgi in today's server side coding?
So, is it best to delete the cgi folder?
Just leave it, no harm is done when it is present and you (or something to be installed later) might need it.

Quote:
Anyway, the whole /var/www folder is owned by apache now and the httpd service seems to be running correctly.
Your apache server is now running more secure then before!
 
Old 04-06-2011, 08:19 AM   #15
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
@druuna, would you please clarify something that I am conceptually missing from your advice. If I read your post correctly, you are advocating making the web files owned by the Apache process. My understanding is that should Apache become compromised by an intruder, that these files by being owned by this process would be modifiable by whomever took control of the process. From my recollection, setting a false login shell does not prevent this as many processes have been locked out of login, but update (write) to files. This seems like it would be exceedingly dangerous. By making the files owned by root, an intruder would need to gain root privilege in order to modify the content.

Would you please explain what I am missing?
 
3 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Using /var/www vs. /srv vs. /home/user/public_html NightSky Linux - Server 11 09-06-2010 12:30 AM
Configure /var/www/html for user write access? SlowCoder Linux - Server 9 07-26-2009 05:37 PM
Changing user and group for Apache 2 & /var/www RDReavis Debian 4 04-06-2009 04:32 AM
FTP user writing to /var/www animelook Linux - General 1 08-04-2006 07:38 PM
user/group permissions for /var/www/html/ illtbagu Linux - Software 6 11-12-2003 05:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration