2013-12-31 16:58 keltezéssel, Raffaele Morelli írta: > 1. one should not be using root ownership for websites to solve > permissions problems in website document root. On servers where there > are N web developers this is absolutely the wrong way to go (you can't > go IMO).
Webservers where there are N developers shouldn't work in production. On multiuser hosting sites you should consider chrooted environment for the users to protect the users from each other. > root should only be used for system administration. > security it's not a matter of doing everything as root but in using > right permissions and user/group rules. > > 2. www-data user should have r-x group permissions and unprivileged > users (eg developer account) should have rwx (or rw-) permissions and > ownership. www-data user shouldn't own any files and directories except the area where uploading is necessary. > www-data ownership it's safe without write permission. It can be safe, and it is much safer if www-data doesn't own anything. > > I just want to add a (relevant) bit. > Apache has tons of directives to secure a website and if you really need > to upload in a dir you can tell apache to not execute php scripts in > there or force file type to text or prevent POST request from untrusted > ip, etc etc.... and you'are done. Security is not a one point tool, it has to be different level. Apache directives is one level, file ownership is another. If you provide security in depth, your system will be more safe. -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52c2f0f8.1000...@freemail.hu