we are configuring a PHP web application on CentOS and have all our files currently in /var/www/html/project/
Apache is configured to run as apache:apache and has access to the directory above. Right now our files and directories have the following rights:
owner = root
group = apache
DIRECTORIES:
drwxr-x--- root apache
FILES:
-rw-r----- root apache
Is this a safe setup? Or is it better to use a new user e.g. "project" to be the owner of all files and directories?
Answer
It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.
If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.
Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.
No comments:
Post a Comment