Thursday, June 16, 2016

apache 2.2 - what chmod and owner:group settings are best for a web application?



we are configuring a PHP web application on CentOS and have all our files currently in /var/www/html/project/



Apache is configured to run as apache:apache and has access to the directory above. Right now our files and directories have the following rights:




owner = root
group = apache



DIRECTORIES:
drwxr-x--- root apache



FILES:
-rw-r----- root apache



Is this a safe setup? Or is it better to use a new user e.g. "project" to be the owner of all files and directories?



Answer



It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.



If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.



Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...