Re: [users@httpd] apache access permission

Thu, 18 Oct 2012 05:43:58 -0700 

On October 18, 2012 5:56 , jupiter <jupiter....@gmail.com> wrote:

For the ssh key, it is important to keep it secure.  Anyone who gets
this key can use it to log in to any system that trusts the key.  So it
is best to have the key be single-purpose, used only for your PHP web
application and not for anything else.  If the key already exists (that
is, it was not created just for the use of this PHP web application) and
is owned by another user, then that is not great and by letting the user
"apache" read (a copy of) the key you may be doing something dangerous.

The key is only used by PHP web application, so the apache owns that key.



But in your original email you said, " the ssh key is "-rw-------" 
permission which deny apache to access it".  If apache owns the key, it 
should be able to read it.  Or do you mean "/usr/bin/ssh refused to use 
the key, even though it could read it, due to it being in a directory 
owned by another user and/or readable by another user"?



Either way, it's good that you're only using this key for the web 
application and nothing else.




it would be very bad if your DocumentRoot were /var/www for some reason,
as you'd then be making your ssh key available to anyone who could
access your web site).

Are you saying that the apache home directory is in /var/www which
cannot be changed, but the DocumentRoot should be changed to any other
directory other than /var/www? The DocumentRoot should not be the same
directory as the apache home directory for the security reason.



The apache home directory can be changed, if you want to change it.


The DocumentRoot directive says, "make all files in and below this 
directory available to web clients".  Do you want people requesting 
http://your.server/.bashrc or http://your.server/.ssh/id_rsa  ?  If not, 
make sure that the DocumentRoot directory and the apache home directory 
are two different things.



Under CentOS, the default DocumentRoot directory is /var/www/html so if 
you have not changed this, it is OK to have the private ssh key in 
/var/www/.ssh/id_pub since that will not get served to clients.


--
  Mark Montague
  m...@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to