[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache question



Ethan> however one thing you should do on a debian system is chown
Ethan> /var/www to root and make sure its not group writable.  also
Ethan> chown /var/log/apache/* to root.adm and make sure the
Ethan> permissions are 640 or 644.  (you have to fix the apache cron
Ethan> jobs to not undo this change)

Ethan> for some insane reason debian leaves the www-root owned by
Ethan> www-data.www-data (the same user debian runs apache as) along
Ethan> with the logs.  this is totally wrong as the web server user
Ethan> should NOT own files or have any write permission to anything.
Ethan> if it does then all it takes is one of those unprivileged child
Ethan> processes to be exploited and your web site can be replaced and
Ethan> your logs can be removed. bad bad bad.

As for the document tree, I largely agree.  But as for the logs, don't
the child servers need to write them, almost by definition?

-- 
Ian Zimmerman, Oakland, California, U.S.A.
In his own soul a man bears the source
from which he draws all his sorrows and his joys.
Sophocles.



Reply to: