> Date: Thursday, March 10, 2016 12:24:23 +0000 > From: Lester Caine <les...@lsces.co.uk> > > On 10/03/16 01:40, Francis Roy wrote: >> This is a new install of Linux Mint 17.x with the default >> Apache/2.4.7 (Ubuntu) install at /etc/apache2 >> My websites, plain html and PHP are kept on a different hard-drive. >> /media/username/Terrabyte/00_Server/htdocs > > Francis ... > Since security on Linux is a high priority, many of the default > actions are set up with that in mind. > When Apache is installed it uses it's own user and group and if the > demo site is also created this is owned by that. I think Ubuntu uses > 'www-data' and 'www' so the tidy way of changing your setup is to > > chown -R www-data:www /media/username/Terrabyte/00_Server/htdocs
For security reasons, the documentroot directory and files, and other server related directories/files (configuration, etc.) should never be owned or writable by the user or group that the web server runs under. As appropriate they need to be readable by the web server, but never owned/writable by its user/group (www-data:www in this context). The issue is that if the web server's user/group own/can write to the those directories/files, if someone is able to break through the server - either an issue with the server or more likely some poorly written script - they will control those directories/files and be able to deface the served content and perhaps more with ease, i.e., "own" what is served by your web server. In general, the documentroot directories/files should be owned by some unprivileged user and (only) readable by "other". There may be times when it seems necessary to have the web server have write access to the directories/files, e.g., for content updates. In such cases, care needs to be given to how this is done to ensure that security is maintained. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
