Tuesday, September 22, 2015

What are ideal permissions for Linux/Apache web site to enable team working but protect some files



I'm finding it hard to find advice on the ideal permissions for a website folder structure on RHEL5.



I want multiple users to be able to change/add/remove files within the website folders - but certain files like the ones containing database passwords need to be protected so that team members can't do anything to them (read/delete).



I was going to create a group 'www', add apache and all the users to that group, add all the files and folders to this group, then make the db password files owned by apache, group apache - however I've found that if the directory has write permissions to the www group, then they can still delete (and recreate) the password file.




Is the only solution to move the password file into it's own directory and remove the write permissions?


Answer



There is probably a better way of doing this, but if you are running on ext2/3 you could make the file immutable using



# chattr +i file



This means that the file cannot be modified, deleted or renamed, not even by root. If you want to change the file you have to chattr -i the file first


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...