0

I wish to set my whole web architecture owned by root:root, and allow the apache user reading rights only.

I don't know whether it is possible: chmod -R 744 makes it return a E403 from the browser, pemission denied to access xxxx.php

But since Apache is public ("other"?) it should be able to "read" right? I don't understand it. I also tried chown root:apache but the result is the same, which is even more confusing...

Sebas
  • 535
  • 1
  • 8
  • 18
  • Don't use `root` for things that are better handled with normal user accounts, such as this. – Michael Hampton Mar 10 '13 at 04:30
  • @MichaelHampton, the idea was to protect the files from apache. But I realised I can do the same to proper files permissions. – Sebas Mar 10 '13 at 11:57

2 Answers2

2

Files need 644, directories need 755. Using 744 on the whole tree means Apache does not have permission to read the contents of any of the directories.

Also, depending on the OS, you may run into problems with kennel security mechanisms (apparmor, selinux) if you use a non-standard location like /www.

I'll provide some example commands for cleaning up the perms when I'm not on my phone.

EDIT:

This will set the files and directories to be world readable:

find /www -type f -exec chmod 644 {} +
find /www -type d -exec chmod 755 {} +

To clarify what I said earlier about file vs directory permissions:

  1. Files don't need the execute bit to be read. Permissions of 0744 would set the file permissions to look like this: -rwxr--r--
  2. Directories need the execute bit and the read bit. This StackOverflow article provides an excellent overview of how directory permissions work.

EDIT (again):

Just noticed the Centos tag, so you can disregard the apparmor caveat. And I think SELinux is off by default, so that shouldn't be a problem either. Fixing the permissions should be all you need.

Community
  • 1
Insyte
  • 9,394
  • 3
  • 28
  • 45
  • Hmm I have some questions. When I set all the files to apache:apache, everything works fine with chmod -R 500. Are you sure the 755 permission is really mandatory? – Sebas Mar 10 '13 at 00:48
  • You're correct; my example left write enabled by root. If you want the files to be owned by `root:root` and still be readable by `apache`, you could go with 555 and 444 (dirs / files). – Insyte Mar 10 '13 at 01:12
  • The key point is to not use the same perms on both files and directories. You don't want files in your web root to end up with executable permissions on them. – Insyte Mar 10 '13 at 01:14
  • oh, what could happen? – Sebas Mar 10 '13 at 01:19
  • hmm and what do you think about the strategy of putting apache owner of everything but with the 500 grants, which seems pretty safe to me. Is it ok? – Sebas Mar 10 '13 at 01:28
0

Look into using ACLs. You'll be able to leave root as the owner and still give apache access (without chmod'ing files to a point where it compromises security).

Peter
  • 1,450
  • 2
  • 17
  • 27