PHP Developers Network

A Definitive Answer To File/Folder Permissions For Apache?
Page 1 of 1

Author:  mecha_godzilla [ Sat Apr 13, 2013 5:31 pm ]
Post subject:  A Definitive Answer To File/Folder Permissions For Apache?


I'm currently setting up a new server and having doubts about my file/folder permission settings again - no matter how much I research this, I never get what I would consider to be a comprehensive answer on the subject as the posts I've read all seem to contradict each other in slightly different ways, so I'd appreciate some input from the experts here please :mrgreen:

First, the set-up:

1. I'm using CentOS and Apache is running as "apache".
2. There's only one site running on the server, and the document root is "/var/www/html".
3. I also have aliases to phpMyAdmin and Xcache, which live outside the web root in directories like "/usr/share/phpMyAdmin", etc.
4. There is no requirement for users to upload files to the server, or for Apache to create or modify any of the files on the server.

My questions are:

1. Which user should own the web root folder?
2. Is it a bad idea to assign ownership of the files in the web root to "apache" even if it doesn't have write privileges for those files, or should I create a separate user for this purpose? The way I've done this before is that I've created a user specifically for FTP duties and this user owns the files but belongs to the "apache" group, and the "apache" group can read those files. I'm not saying this is necessarily right, just how I've done it before.
3. What about files outside of the web root, such as phpMyAdmin? At the moment, I set "apache" as the owner of these folders, and the files inside with permissions of 400.


Mecha Godzilla

Author:  Christopher [ Sat Apr 13, 2013 11:53 pm ]
Post subject:  Re: A Definitive Answer To File/Folder Permissions For Apach

I would recommend only setting directories/files to user apache if you want them to be writable by the webserver -- such as session and upload files. Otherwise I would set the files in "/var/www/html" to the user you login as to manage those files (SFTP if available, not FTP). Set them to owner writable and readable by all. That way they cannot be written by the apache user. I would do the same for directories like phpMyAdmin. You can also set these directories to not writable at all once configured.

Author:  mecha_godzilla [ Sun Apr 14, 2013 2:21 pm ]
Post subject:  Re: A Definitive Answer To File/Folder Permissions For Apach

Thanks, that all makes sense - I did read through Apache's "advice" page on securing the web server environment but that wasn't a great help, and I'm a wary of trying to employ any sticky-bit/suexec arrangements when I don't understand the full implications of what they're doing.

I had planned on using SFTP this time around, but thanks for the suggestion - I normally just use vsftpd but then I remembered that SSH has its own in-built FTP. Also, my application saves session information in the database so I don't have to worry about securing the session directory.

Can I just ask one more question: what's the best way to protect included scripts that store database login credentials? I've read some conflicting about this as well - the practice used to be to put them one level below the web root (which is what I still do) so that they're not directly accessible, but is it still appropriate to make these scripts readable by all? I realise that Apache has to be able to read these files in order to process them, but similarly I don't want a situation where any other application on the server can access these files.

Thanks again for your advice - I've been using Un*x for a while now so I should really know all this stuff, but then I think back to that comment in the UNIX-HATERS handbook about there being "no Unix experts, in the naive sense of an exalted group whose knowledge is exhaustive and who need not learn more" :mrgreen:


Author:  Christopher [ Sun Apr 14, 2013 9:41 pm ]
Post subject:  Re: A Definitive Answer To File/Folder Permissions For Apach

Author:  mecha_godzilla [ Mon Apr 15, 2013 3:26 pm ]
Post subject:  Re: A Definitive Answer To File/Folder Permissions For Apach

Ok, that sounds sensible - everything is served through the index file anyway so there's no need for the main scripts to be accessible from the web root. What I've done now is created a new SFTP user to own all the web scripts and then added this user to the "apache" group so that Apache can access all the scripts - the permissions will just allow read access to the SFTP user and the "apache" group and nobody else.

Thanks again for your help - I really appreciate it.


Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group