Re: securing /var/www or web content

To: debian-security@lists.debian.org
Subject: Re: securing /var/www or web content
From: Daniel Sterling <dan@lost-habit.com>
Date: Mon, 27 Feb 2006 10:18:07 -0500
Message-id: <[🔎] 4403182F.1050706@lost-habit.com>
In-reply-to: <[🔎] 34357.213.224.83.4.1140988660.squirrel@www.gov-fbi.net>
References: <[🔎] 220A37C1-3CB1-45FF-9C25-B1CBA462633B@aiias.edu> <[🔎] 154ede550602261644p5ad6e24ek@mail.gmail.com> <[🔎] 34357.213.224.83.4.1140988660.squirrel@www.gov-fbi.net>

Sels, Roger wrote:

>The files in your /var/www should strictly speaking only be accessible to
>your webserver ; for apache usually www-data or apache or httpd accounts
>should have rwx permissions.
>  
>
You usually dont want to give the apache user write access to the site.
When Apache is compromised, a remote attacker could change your website
without having to escalate privileges first. Also, when Apache runs
scripts as the apache user (e.g. CGI for a local user), that script
would be able to rewrite your web site.

-- Dan

Reply to:

References:
- securing /var/www or web content
  - From: Arnel Pastrana <arnelgp@aiias.edu>
- Re: securing /var/www or web content
  - From: Olivier Papauré <olivier.papaure@gmail.com>
- Re: securing /var/www or web content
  - From: "Sels, Roger" <roger.sels@gov-fbi.net>

Prev by Date: Re: first A record of security.debian.org extremely slow
Next by Date: Re: encrpyt harddrive without passphrase/userinput
Previous by thread: Re: securing /var/www or web content
Next by thread: Mario Specht ist außer Haus.
Index(es):
- Date
- Thread