PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Oct 17, 2017 1:43 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sat Apr 13, 2013 5:31 pm 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Hi,

I'm currently setting up a new server and having doubts about my file/folder permission settings again - no matter how much I research this, I never get what I would consider to be a comprehensive answer on the subject as the posts I've read all seem to contradict each other in slightly different ways, so I'd appreciate some input from the experts here please :mrgreen:

First, the set-up:

1. I'm using CentOS and Apache is running as "apache".
2. There's only one site running on the server, and the document root is "/var/www/html".
3. I also have aliases to phpMyAdmin and Xcache, which live outside the web root in directories like "/usr/share/phpMyAdmin", etc.
4. There is no requirement for users to upload files to the server, or for Apache to create or modify any of the files on the server.

My questions are:

1. Which user should own the web root folder?
2. Is it a bad idea to assign ownership of the files in the web root to "apache" even if it doesn't have write privileges for those files, or should I create a separate user for this purpose? The way I've done this before is that I've created a user specifically for FTP duties and this user owns the files but belongs to the "apache" group, and the "apache" group can read those files. I'm not saying this is necessarily right, just how I've done it before.
3. What about files outside of the web root, such as phpMyAdmin? At the moment, I set "apache" as the owner of these folders, and the files inside with permissions of 400.

Thanks,

Mecha Godzilla


Top
 Profile  
 
PostPosted: Sat Apr 13, 2013 11:53 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13434
Location: New York, NY, US
I would recommend only setting directories/files to user apache if you want them to be writable by the webserver -- such as session and upload files. Otherwise I would set the files in "/var/www/html" to the user you login as to manage those files (SFTP if available, not FTP). Set them to owner writable and readable by all. That way they cannot be written by the apache user. I would do the same for directories like phpMyAdmin. You can also set these directories to not writable at all once configured.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sun Apr 14, 2013 2:21 pm 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Thanks, that all makes sense - I did read through Apache's "advice" page on securing the web server environment but that wasn't a great help, and I'm a wary of trying to employ any sticky-bit/suexec arrangements when I don't understand the full implications of what they're doing.

I had planned on using SFTP this time around, but thanks for the suggestion - I normally just use vsftpd but then I remembered that SSH has its own in-built FTP. Also, my application saves session information in the database so I don't have to worry about securing the session directory.

Can I just ask one more question: what's the best way to protect included scripts that store database login credentials? I've read some conflicting about this as well - the practice used to be to put them one level below the web root (which is what I still do) so that they're not directly accessible, but is it still appropriate to make these scripts readable by all? I realise that Apache has to be able to read these files in order to process them, but similarly I don't want a situation where any other application on the server can access these files.

Thanks again for your advice - I've been using Un*x for a while now so I should really know all this stuff, but then I think back to that comment in the UNIX-HATERS handbook about there being "no Unix experts, in the naive sense of an exalted group whose knowledge is exhaustive and who need not learn more" :mrgreen:

M_G


Top
 Profile  
 
PostPosted: Sun Apr 14, 2013 9:41 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13434
Location: New York, NY, US
mecha_godzilla wrote:
Can I just ask one more question: what's the best way to protect included scripts that store database login credentials? I've read some conflicting about this as well - the practice used to be to put them one level below the web root (which is what I still do) so that they're not directly accessible, but is it still appropriate to make these scripts readable by all?
You should store you application scripts outside of web root -- so at least one level up. That way it is not possible to access them if the webserver is misconfigured (e.g. not parsing .php files). I usually have only the index.php script in web root and all other PHP files above web root. Typically you have a directory for the site with sub-directories in it like cgi-bin, htdocs, logs, etc. It is common to put the application directory there on the same level as the web root directory.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Mon Apr 15, 2013 3:26 pm 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Ok, that sounds sensible - everything is served through the index file anyway so there's no need for the main scripts to be accessible from the web root. What I've done now is created a new SFTP user to own all the web scripts and then added this user to the "apache" group so that Apache can access all the scripts - the permissions will just allow read access to the SFTP user and the "apache" group and nobody else.

Thanks again for your help - I really appreciate it.

M_G


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group