What is possible security draw-back of running entire php-based site (all scripts) owned by apache?
Is it easier for net-vermin to break into site's directory - upload some unauthorised script, or edit existing, than it would be if dirs/files are owned by user?
Not really concerned with inability to access scripts through ftp client running as user (not a draw-back for me).
Assumed proper chmod:
- all folders: 755
- file: 644
runnning php scripts under apache ownership: safe/unsafe
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: runnning php scripts under apache ownership: safe/unsafe
If this is a VPS/a dedicated server, then don't worry about it.
I'm not sure I understood that. Apache needs an access to those files or it can't serve them. I'm not Linux/Apache expert, but IIRC, Apache upon starting runs as root and can thus read anything it likes and after it starts the processing of the VirtualHost/site, it becomes nobody and can access any serve-able web content.jeffz2010 wrote:What is possible security draw-back of running entire php-based site (all scripts) owned by apache?
As long as the main directory of your user account has proper permissions set, no one else can access anything below it.jeffz2010 wrote:Assumed proper chmod:
- all folders: 755
- file: 644
Re: runnning php scripts under apache ownership: safe/unsafe
Also, for 777 chmod-ed directory it's good to set the sticky bit:
This way, while other users can create files in this directory, they will not be able to delete files they don't own.
A little bit of security through obscurity is added if you set the immutable attribute of your files:
This way, nobody (including the owner of the file) may modify, delete or rename this file. You'll need to turn off the -i flag in order to make any changes.
This is not well known behavior, especially by script-kiddies
Code: Select all
chmod +t directory_nameA little bit of security through obscurity is added if you set the immutable attribute of your files:
Code: Select all
chattr +i file_nameThis is not well known behavior, especially by script-kiddies
There are 10 types of people in this world, those who understand binary and those who don't
Re: runnning php scripts under apache ownership: safe/unsafe
This arrangement (scripts under apache ownership) are to avoid using suphp (or similar), which can be a hog on resources, yet allow user:
or allow script to make file writeable, write to file, change permissions to proper 644
- a. to make changes (read, write, delete create files and directories) using interface (no need for ftp/tech knowledge)
- b. scripts to manipulate permissions, as needed
or allow script to make file writeable, write to file, change permissions to proper 644
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: runnning php scripts under apache ownership: safe/unsafe
SuPHP/SuExec are used to make shared hosting a bit more secure environment to host your software. They make sure that the PHP process runs as the owner of the account and thus can't access the entire file-system unlike in case of without them.