Page 1 of 1

runnning php scripts under apache ownership: safe/unsafe

Posted: Thu Feb 18, 2010 12:37 pm
by jeffz2010
What is possible security draw-back of running entire php-based site (all scripts) owned by apache?

Is it easier for net-vermin to break into site's directory - upload some unauthorised script, or edit existing, than it would be if dirs/files are owned by user?

Not really concerned with inability to access scripts through ftp client running as user (not a draw-back for me).
Assumed proper chmod:
- all folders: 755
- file: 644

Re: runnning php scripts under apache ownership: safe/unsafe

Posted: Sat Feb 20, 2010 4:25 am
by kaisellgren
If this is a VPS/a dedicated server, then don't worry about it.
jeffz2010 wrote:What is possible security draw-back of running entire php-based site (all scripts) owned by apache?
I'm not sure I understood that. Apache needs an access to those files or it can't serve them. I'm not Linux/Apache expert, but IIRC, Apache upon starting runs as root and can thus read anything it likes and after it starts the processing of the VirtualHost/site, it becomes nobody and can access any serve-able web content.
jeffz2010 wrote:Assumed proper chmod:
- all folders: 755
- file: 644
As long as the main directory of your user account has proper permissions set, no one else can access anything below it.

Re: runnning php scripts under apache ownership: safe/unsafe

Posted: Sat Feb 20, 2010 4:39 am
by VladSun
Also, for 777 chmod-ed directory it's good to set the sticky bit:

Code: Select all

chmod +t directory_name
This way, while other users can create files in this directory, they will not be able to delete files they don't own.

A little bit of security through obscurity is added if you set the immutable attribute of your files:

Code: Select all

chattr +i file_name
This way, nobody (including the owner of the file) may modify, delete or rename this file. You'll need to turn off the -i flag in order to make any changes.
This is not well known behavior, especially by script-kiddies ;)

Re: runnning php scripts under apache ownership: safe/unsafe

Posted: Tue Feb 23, 2010 1:13 pm
by jeffz2010
This arrangement (scripts under apache ownership) are to avoid using suphp (or similar), which can be a hog on resources, yet allow user:
  • a. to make changes (read, write, delete create files and directories) using interface (no need for ftp/tech knowledge)
  • b. scripts to manipulate permissions, as needed
e.g.: upload image-> make img:directory writeable->move image to img:dir->change dir back to 755,
or allow script to make file writeable, write to file, change permissions to proper 644

Re: runnning php scripts under apache ownership: safe/unsafe

Posted: Wed Feb 24, 2010 2:57 am
by kaisellgren
SuPHP/SuExec are used to make shared hosting a bit more secure environment to host your software. They make sure that the PHP process runs as the owner of the account and thus can't access the entire file-system unlike in case of without them.