|
Le 23/12/2013 15:30, Raffaele Morelli a
écrit :
Excuse-me, but I think you're wrong. The only reason I see where a file served by a web server must not be root is if it's suid and the web server has the rights to write to it (by the group membership). As a security measure, I preach the opposite : all files are root (or another user, not used by the web server). For the directories and files that have to be modified by the application and so by the web server, I use a group membership (www-data) with write privileges for the group. Like this, if someone find a hole in the web app, it can make it execute something with the user running the web server, and can not write to the files served by the web server (except those specified above, using the group www-data). And so, it can not modify application files (php scripts...) and make it do what they want (send spam, propagate...). |