On Sat, 21 Sep 2002, Rich Bowen wrote: > > =Apache security
Two comments: 1. a lot of silly and futile restrictions here that don't do anything to improve security and only serve to make people do things as root more than they should have to. 2. Your recommend permissions for the logs directory have a huge problem: > * Logs directory has some caveats > > * Standard log files are written as root (C<access_log> and C<error_log>) > > * Some other modules log as C<www.root> > > * So, here's the recommendation: > > chown root.www logs > chmod 770 logs This goes explicitly against what is documented in the current docs and allow anyone who compromises the "www" group to gain root access to the system. Do not give the user or group the server runs as write permissions to the log directory if the server is started as root. If you have some random module that wants to write a logfile as the user the webserver runs as, either put it in a different directory or precreate the file with permissions that let the module do so. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
