On Fri, Nov 27, 2009 at 10:47:28 +0000 (+0000), Stephen Nelson-Smith wrote: > I have a site running drupal. The apache user therefore needs to be > able to write certain files (CSS files for example).
Hmm - I don't need much for my drupal install FWIW - just "files". Install of my (updated Drupal 6.14 packages for Ubuntu 8.04 from my site at http://bitcube.co.uk/content/packages) hence www-data not apache. $ find /usr/share/drupal6/ ! -user root (nothing) $ ls -l /usr/share/drupal6/sites/default/ total 16 -rw-r--r-- 1 root root 36 2009-03-26 10:24 baseurl.php -rw-r----- 1 root www-data 536 2009-09-21 21:20 dbconfig.php lrwxrwxrwx 1 root root 22 2009-03-26 09:48 files -> /var/lib/drupal6/files -rw-r--r-- 1 root root 6131 2009-03-26 09:19 settings.php ls -l /var/lib/drupal6/ total 8 drwxr-xr-x 2 root root 4096 2009-03-01 18:06 backups drwxr-x--- 6 www-data www-data 4096 2009-09-16 18:23 files > I also have a directory under my web root which is a SAN mount, to > which apache must be able to write. > > What is the most secure way to implement this? > > I am thinking: > > chown -R root:apache /var/www/html > chmod -R 0750 /var/www/html > chown apache:apache for where need to write Seems sensible to me - files owned by root as far as possible so any apache process can't change them, then apache where you need it. Adrian -- bitcube.co.uk - Linux infrastructure consultancy Puppet, Debian, Red Hat, Ubuntu, CentOS, ... -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------