-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Hiep,
On Dec 12, 2007, at 3:13 PM, Hiep Nguyen wrote:
i installed apache on centos 5 and i have some questions regarding
security for apache. i read security tips on http://
httpd.apache.org/docs/2.2/misc/security_tips.html and get the idea,
but still need some advices from guru here.
/etc/httpd/conf/httpd.conf:
ServerRoot "/etc/httpd"
User apache
Group apache
DocumentRoot "/var/www/html"
as of now, /var/www/html/ belongs to root user & group.
Make this apache:apache, it fits better with the User/Group
specifiers above.
but i have couple developers here that need to upload files to this
folder that i don't want to give out the root password. what
should i change /var/www/html/ folder to?
Use apache:apache if you think that all developers are
trustworthy ;-) Definitely not root:root. When you make the ownership
change, verify that apache:apache may indeed read /var/www/html/.
i also have a SSI folder (/var/www/html/includes) that i don't want
any web user to have access to because these includes files contain
user/password to mysql.
for example, at the beginning of /var/www/html/index.php, i have:
<?
include_once('/var/www/html/includes/global.php');
include_once('/var/www/html/includes/connect.php');
?>
PHP includes this way locally, from the file system. There is no need
to park these files in the docroot tree. E.g., stick them in /var/www/
includes/, outside of /var/www/html. Then use include_once('/var/www/
includes/global.php').
i try to prevent web user doing this:
wget http://10.0.0.120/includes/global.php
but at the same time allow apache server to access files in /var/
www/html/inclues/ folder.
Definitely a good idea ;-)
See above..
HTH,
--
Karel Kubat / M +31 6 2956 4861 (+31 6 AWK 6 HUM 1)
From the collection of Wise Quotes:
"I'm not into working out. My philosophy: No
pain, no pain." - Carol Leifer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFHX/Ma23FrzRzybNURAuoUAJ9Oe+myyzOTcwXTgT2qfoe+lury+ACgmKXZ
r8ZP+UpEyz5jPZAtYknFN2A=
=SPCk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]