Re: How to get Apache to write files as group writable?
From: Jay Paulson (jpaulson_at_sedl.org)
Date: 09/15/05
- Previous message: Ken Smith: "Re: ASUS P4P800 MB FC3 Crashing"
- In reply to: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Next in thread: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Reply: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 15 Sep 2005 10:31:51 -0500 To: For users of Fedora Core releases <fedora-list@redhat.com>
>> I also found that in the /etc/httpd/conf/httpd.conf file you can
>> change the group apache runs as from apache to www (or whatever group
>> you want). Then start up /etc/init.d/httpd as root for it to take
>> effect (at least that what it says in the httpd.conf file).
>> My question now is which is the better way?
>> I'll have to try both ways. :)
>
> The two things are completely different.
>
> Changing the group in /etc/httpd/conf/httpd.conf just changes group
> that apache runs as. It will not affect the permission bits of files
> created by the web server in any way, only the GID of those files (if
> you're using the SGID bit on a directory, the GID of newly-created
> files will be the same as the directory, otherwise, the GID of the
> running process).
>
> Be careful about the UID/GID you run httpd as, and the
> UID/GID/permissions of the files on your system. Security-wise, the
> httpd should run with just enough permissions to be able to function
> correctly, i.e. it should not be able to write to most files, just
> read the files it's serving and write to files/directories that you
> want to be able to upload to.
>
> Changing the umask to 002 will mean that newly-created files will have
> write permissions set for the UID and GID of the file.
>
> Paul.
Thanks for the explanation it makes perfect sense to me and the
security issue you bring up is very serious.
The reason why I need apache to have write permissions set for the UID
and the GID is that I have other users who log in locally and will need
access to modify those files that are uploaded via apache. Hence the
reason why my local users and apache are all in the 'www' group. This,
as you pointed out, isn't best for security, which really does concern
me.
Is there a more secure way of setting this up so that files that are
created by apache are writable by the group and the local users without
compromising the security of the rest of the files on the web root
through apache?
Thanks,
jay
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Ken Smith: "Re: ASUS P4P800 MB FC3 Crashing"
- In reply to: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Next in thread: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Reply: Paul Howarth: "Re: How to get Apache to write files as group writable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
