Recipe 22.4. Setting Apache File Permissions and Ownership
22.4.1 Problem
You want to be sure that file
permissions on your Apache installation are sane and secure.
22.4.2 Solution
Follow this checklist:
First, make sure that the httpd binary is
owned only by root, is not writable, and is not readable by non-root
users:
# chown root:root /usr/sbin/httpd
# chmod 511 /usr/sbin/httpd
Next, create an unprivileged user just for httpd:
# useradd -c "httpd owner" -d /dev/null -s /bin/false -u httpd
Open /etc/httpd/conf/httpd.conf, and configure
httpd to run under this user. Look for
"Section 2: `Main'
server configuration":
User httpd
Next, create a unique user and group to own your web page
directories; in this example
"web":
# groupadd -g 60 web
# useradd -c "Web Server" -d /var/www/ -g web -s /bin/false -u web
# chown -R web:web /var/www/http
# chmod -R 755 /var/www/http
Remember to add users who are authorized to edit your web pages to
the web group. Finally, restart Apache:
# apachectl restart
That takes care of the basics.
22.4.3 Discussion
The httpd binary is owned by root,
but it only runs with root permissions for long enough to launch
child processes, which run under a user with minimal privileges.
httpd does not touch the network at all; all the
work is handled by its children. The default is the
nobody user—don't use
nobody, as it's used far too
often, and is a favored cracker target. Also, you never want to share
a system user; always create unique users for your various daemons
and servers.
You can use the usual Linux filesystem permissions to control which
users have access to your web page files and subdirectories.
Apache is a very secure application. The more typical places to find
vulnerabilities are in the underlying operating system, or when you
start adding server-side scripting, adding web forms, and generating
dynamic content with PHP, Perl, Python, and so on.
22.4.4 See Also
| 
