0

My server is centos 7,with php 5.4,apache 2.4. My website locate in /var/www.

As for apache is the only one user read or write in /var/www,I set all files and folders owner and group to apache:

For the folders and files read only:-r------- 1 apache apache 922 Jun 3 2014 connect.php
For the files need to be write:-rw------- 1 apache apache 922 Jun 3 2014 connect.php
Which means only 600 or 400 for files permission.(*.php need not x permission)
As to folders permission, only 500 or 700.

This should be the best practice, because provide permission as little ad possible.
Is there any security issue?

Improve this question
6
  • @JennyD,different question.I am asking security issue. Commented Jan 24, 2019 at 8:09
  • 1
    As a rule of thumb, it's considered acceptable to close as duplicate if the answers to the other question also answer yours, even if the question isn't quite the same. Commented Jan 24, 2019 at 8:20
  • @JennyD,which other answer also answer my question?I could not find any. Commented Jan 24, 2019 at 8:26
  • 2
    The fact that the UID of the web server is the owner of your web content means that a vulnerability / exploit in your either the webserver or more likely your PHP code will allow an attacker to modify all content (the owner of files can simply changes their permissions with chmod so making the files read-only is only a minor inconvenience) so what you propose is generally considered a bad idea. Commented Jan 24, 2019 at 8:27
  • 1
    The accepted answer is quite long and contains information about security issues. So do a few of the others. Commented Jan 24, 2019 at 8:32

1 Answer 1

Reset to default
6

No, this is not best practice. The user that apache runs as should not own any files or directories. This user should have only read access to anything, and especially to executable files, such as *.php, unless write access is specifically needed for a particular case, such as an uploads directory.

The reason for this is quite simple: If an attacker is able to find an exploit allowing them to execute their own code in the web server's process, then they are able to write to any files the web server can write to. If the web server has write access to the executable files, then this means they can change the executables to do whatever the attacker chooses, whenever a user accesses the corresponding URLs. Even if they only have write access to non-executable files (e.g., *.html), this gives them control of the content sent to your site's users, including the ability to send malicious javascript or embedded content to them.

Making the files owned by the web server user with chmod 400 is no better, as the user who owns a file can change its permission at will to give themselves write access.

Improve this answer
3
  • We cannot eradicate apache has write permission, because almost all websites have upload folders. For example, I upload avatar to stackoverflow, I can also change my avatar. Commented Jan 24, 2019 at 8:37
  • @kittygirl - You're still able to make apache the owner of only the upload directories and give write access only for those directories. If it owns everything, then a successful exploit will allow the attacker to overwrite everything. Much better to limit the damage to just the uploads, no? Commented Jan 24, 2019 at 9:08
  • How about ----r----- 1 webuser apache 1757 Jun 3 2018 index.php?Deprive any permission of owner,left only apache group permission. Commented Jan 24, 2019 at 13:42

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.