Re: files/dirs under /var/www/
On Wed, 7 Jun 2000, Will Trillich wrote:
> On Fri, Jun 02, 2000 at 01:08:04AM -0800, Ethan Benson wrote:
> > On Fri, Jun 02, 2000 at 01:52:10PM +0900, Olaf Meeuwissen wrote:
> > > Just a quick question: how (un)safe is it to create your own files and
> > > directories below /var/www/? Are there any names taken (besides dwww
> > > and index.html)?
> >
> > /var/www should belong to you, i don't think any debian package will
> > clobber anything in there, if they do its a bug. /var/www is set as
> > the document root for apache so its obviously natural for your site to
> > go there and be organized how you see fit. the index.html file should
> > be replaced by your own.
> >
> > just make sure its not owned by www-data.www-data!
>
> what's the flaw in that? it's MORE secure to have files owned by root??
> i don't grok that just yet, sensei...
>
The problem with it is that ANYBODY whois being able to put up a script
that runs as www-data will be able remove your /var/www.
This includes anything ran from an apache module or a cgi and not run via
suexec. Eg. php3 scripts, cgi-scripts, servlets, jsp files, and so on,
which all by default run as www-data.
And suexec is disabled by default.
Only this "small" flaw...
And there is no problem with files owned by root, as long as they are not
suid-root, or not executable at all.
Regards,
Robert
Reply to: