1

I want to enable apache to automatically create files/directories.

In some web hosts, for example, when I install wordpress, apache is able to automatically createwp-config.php file.

But In my VPS, I have to manually create wp-config.php file.

I know that doing chmod 777 is dangerous and chown apache:apache makes the previous owner can't write to these files.

How can I do this? Do I have to set apache's User and Group dynamically?

ComMania
  • 61
  • 2
  • 7

2 Answers2

-1

You can create multiple logins with the same uid:gid. F.e. logins apache, www, site and developer all can be assigned to the uid=80. That allow to keep existing users while new equivalent accounts would be added easily.

Kondybas
  • 6,964
  • 2
  • 20
  • 24
-1

Try using these commands from any directory you want the server to be able to access. 

chmod 775 .
chgrp apache .

This will allow the web server to write to the directory even if it doesn't own it. (I am assuming the group used by your web server is apache.)

Once the file is created, you can change the permission to prevent writing new files to the directory with the command (again run from the directory).

chmod 755 .

You can substitute the directory path for . in all the above commands.

Try to limit the number of files and directories your server can write to. These locations can be used to store malware if your web server is compromised.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • The server does not need to be compromised for these to store malware. There is a huge list of things you need to do to mitigate the abuse of a directory writeable by the webserver uid - exactly what security model is applicable depends on how the facility is intended to be used. This is better chan chmod 0777 – symcbean Dec 29 '13 at 00:03
  • (should say this is `no better than chmod 0777`) – symcbean Dec 29 '13 at 19:30
  • 0775 is better, as 0777 allows anyone with access to the server to write the directory. – BillThor Dec 29 '13 at 22:22
  • And who exactly would that be (bearing in mind that even if this is a shared host, all the vhosts are running as the same uid)? – symcbean Dec 29 '13 at 22:25
  • @symcbean Any userid with access to the server. I would expect the various content owners to each have a different uid. There may be other uids for other users and services. 0777 allows anyone of these ids to modify (add/remove/replace) content. 0775 limits modifications to the directory owner and members of the web-server's group. Normally the web server is the only user/uid in that group. – BillThor Dec 30 '13 at 05:03
  • if any user can deploy a script executable by the apache user then they can read and write files as the apache uid. If all files are writeable by the apache uid then all files aer writeable by any uid. – symcbean Dec 30 '13 at 09:32
  • @symcbean That's why you always want to limit access. Only users with domains should be able to write. This should be a subset of all users. There are steps that can be taken to limit the ability to run scripts using the web server's UID. 0775 instead of 0777 is one of several steps leading in securing the server. Shared services increase the likelyhood that someone will do something wrong. But don't use that as an excuse to do wrong. – BillThor Dec 30 '13 at 22:45
  • you seem to be a sensible guy so I can only assume you have not understood what I'm saying here. The only limit you are placing here is disallowing write access by 'other' - but there is nobody accessing the system who falls into this category: any uid also has access to the apache uid - you've not taken away write privilege from any *user* by applying 0775 privilege instead of 0777. – symcbean Dec 30 '13 at 23:20
  • @symcbean I don't see your assertion that all users have access to the apache userid anywhere in his post. Even if it were so, it doesn't excuse bad security practice. This discussion is leading nowhere. – BillThor Dec 30 '13 at 23:46