FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-27-2009, 09:46 AM
Stephen Nelson-Smith
 
Default Best way to secure apache web root

I have a site running drupal. The apache user therefore needs to be
able to write certain files (CSS files for example).

I also have a directory under my web root which is a SAN mount, to
which apache must be able to write.

What is the most secure way to implement this?

I am thinking:

chown -R root:apache /var/www/html
chmod -R 0750 /var/www/html
chown apache:apache for where need to write

Is there a better way?

S.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2009, 11:27 AM
Eero Volotinen
 
Default Best way to secure apache web root

Stephen Nelson-Smith wrote:
> I have a site running drupal. The apache user therefore needs to be
> able to write certain files (CSS files for example).
>
> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
>
> What is the most secure way to implement this?
>
> I am thinking:
>
> chown -R root:apache /var/www/html
> chmod -R 0750 /var/www/html
> chown apache:apache for where need to write

Yes, use acl and selinux.

--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2009, 12:14 PM
Stephen Nelson-Smith
 
Default Best way to secure apache web root

Hi,

>> What is the most secure way to implement this?
>>
>> I am thinking:
>>
>> chown -R root:apache /var/www/html
>> chmod -R 0750 /var/www/html
>> chown apache:apache for where need to write
>
> Yes, use acl and selinux.

Could you expand? Have you an example you could point me at? I'm
happy to read any relevant documentation, but having a map helps.

S.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2009, 12:53 PM
Peter Peltonen
 
Default Best way to secure apache web root

Hi,

On Fri, Nov 27, 2009 at 12:46 PM, Stephen Nelson-Smith
<stephen@atalanta-systems.com> wrote:
> I have a site running drupal. *The apache user therefore needs to be
> able to write certain files (CSS files for example).
>
> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
>
> What is the most secure way to implement this?
>
> I am thinking:
>
> chown -R root:apache /var/www/html
> chmod -R 0750 /var/www/html
> chown apache:apache for where need to write
>
> Is there a better way?

What is usually a good approach is to setup specific directories where
Apache can write (like "files" or "images") and then disable PHP/other
code execution from that directory. So if someone is able to hack your
web app and upload something (malicious code) into that directory, it
won't get executed.

To put it briefly: keep your executable code and upload directories separate.

Cheers,
Peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-30-2009, 05:49 AM
Geerd-Dietger Hoffmann
 
Default Best way to secure apache web root

Hey

On Fri, Nov 27, 2009 at 10:46 AM, Stephen Nelson-Smith
<stephen@atalanta-systems.com> wrote:
> I have a site running drupal. *The apache user therefore needs to be
> able to write certain files (CSS files for example).
>
> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
>
> What is the most secure way to implement this?
>
> I am thinking:
>
> chown -R root:apache /var/www/html
> chmod -R 0750 /var/www/html
> chown apache:apache for where need to write
>
> Is there a better way?

This might be an idea
http://www.faqs.org/docs/securing/chap29sec254.html

and this

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html

of course disabling execution of files in your upload dir is really important.

Cheers Didi

--

My www page: www.ribalba.de
Email / Jabber: ribalba@gmail.com
Skype : ribalba
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org