[plug] apache perms
James Devenish
devenish at guild.uwa.edu.au
Sat Sep 18 09:54:18 WST 2004
In message <1095463466.10272.4.camel at rattus.Localdomain>
on Sat, Sep 18, 2004 at 07:24:26AM +0800, William Kenworthy wrote:
> Something I am a bit confused about: who should the owner of the
> apache htdocs and cgi-bin directories be?
Normally, a daemon user's home directory will be owned by root. However,
htdocs and cgi-bin are subdirectories and can be owned by whomever you
wish. It would be pretty irregular for cgi-bin to be owned or writable
by anyone other than root, as you don't normally want arbitrary users to
be able to put executable binaries into that directory. However, htdocs
may be a quite different story depending on how you manage your content.
> The apache user the server[']s running under (apache in my case) or
> root for read[-]only files that you want to make sure the apache
> daemon cannot execute?
Now you seem to be talking about files rather than directories. If you
want to prevent the 'apache' user from executing files, you'll need to
make sure the files do not have the 'executable' privilege set. In
particular, if the executable is owned by 'root' then set perms to 700
(rwx------) not 755 (rwxr-xr-x). This will also yourself and the Apache
daemon from executing the file or discovering the contents of the file.
However, if the directory containing that file is owned by the 'apache'
user, then the apache user will be able to delete and rename the file
(but not modify it or use it).
> Seems to be various reasons to configure this in different ways, but I
> haven't come across anything that looks like a standard yet.
Different people want different things.
More information about the plug
mailing list