everything in my www and cgi-bin dirs is always apache.apache,, I always
make sure of it...
I just wanted an easy way of setting miminium permissions for the files and
directorys and setting all ownership to apache.apache, if nothing else, its
consistant...
-----Original Message-----
From: Michael D. Viron [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 9 May 2001 11:25 PM
To: Tim Holmes; Franki
Cc: Rules Address for MDK
Subject: Re: [newbie] chown and chmod
At 03:51 AM 05/09/2001 -0400, Tim Holmes wrote:
>Well first off, the directories in /var/www need to be 0755 and owner/group
>must be apache. Once you're in those directories, it doesn't make a
difference
>of the owner ship. Most of the files will have be root for owner/group
once you
>start moving files there or creating them in vi as the root user. So as
long as
>the directories in /var/www are owned/grouped as apache. Looking
something like
>this...
Actually this does matter--there is a well known exploit (Redhat / Mandrake
and most security books note it) for apache that files retrieved via the
web are retrieved as the user that owns them. Therefore, you should have
all web directories / files (particularly cgi-bin and / or perl) owned
either by nobody:nobody, or apache:apache such that you block the exploit.
This brings me to the next point, when creating files in the web directory,
you should either su to the user that owns the files before editing /
creating, or you should change the ownership of the edited / created file
to be consistent with all other files in that directory.
Michael
--
Michael Viron
Senior Systems & Administration Consultant
Web Spinners, University of West Florida
