4

I'm troubleshooting a permissions problem which could be solved if all files in Apache's root folder were owned by a user not "root". Since this is a sanbox and I'm the only one playing in it, there isn't any human conflict. Will I silently break something if I make this change?

I've never questioned that files outside of the /home are owned by any other user than the system's root user account. Most of the time changing permissions does indeed break things, but the thought. OHHH. How naughty. hahahah.

xtian
  • 2,765
  • 7
  • 38
  • 65

3 Answers3

4

A bit late, I'm afraid, but I just found this. There's a lot of confusion/misinformation in the comments here. You can do whatever you want, within these basic principles. I'm assuming that the httpd user and group (see the User and Group directives in httpd.conf) are 'apache' and 'apache'; substitute for your own particular installation.

1 - the files to be served must be readable by user 'apache'

2 - the directories must be searchable by user 'apache'

3 - CGI programs must be runnable by user 'apache'

4 - user 'apache' should not own any files

5 - user 'apache' should not be permitted to write any files

6 - group 'apache' should not be permitted to own or write to any files

Your setup - where root owns the files - is acceptable, but it makes more sense in most setups that whoever has to modify the files (via ftp/etc) should either (a) own them, or (b) be in a group that has write permissions for the files.

Come up with a scheme that meets all these criteria, and you should be Ok. Obviously don't allow 'others' to have any permissions that aren't necessary. It's normal, however, for user 'apache' to be in 'others', so files will normally need read permissions for others. Post your specific solution here if you want it checked.

EML
  • 9,619
  • 6
  • 46
  • 78
  • 4
    How does a PHP app like Drupal fit in your scheme? It has to be able to write to the directories where it saves files. And, php's text to file function also needs write permissions. – xtian Sep 23 '11 at 14:36
0

No problem. You can change the owner to your user name as long as the group name is set to whatever Apache uses as a group name. Why? because after a week I did it anyway. So, far nothing has broken.

I asked the question before I made the change because I use a framework application on my test server. It's installed under the different owner as I mentioned above. And, its practically impossible to put a large folder of files (and this framework has over 3000 files) back to the original permissions after a change.

xtian
  • 2,765
  • 7
  • 38
  • 65
  • I know it's not relevant now, but couldn't you have just copied the framework files (all 3,000, but whatever) somewhere in order to preserve their permissioning? – Andrew Cheong Apr 26 '14 at 01:50
-1

Apache won't run as root. So the Apache server has no permissions to write to the files owned by root. If you need write access for apache or your PHP scripts, you shouldn't store web content as root.

You probably don't need write access for apache scripts and allowing it could pose a security risk. That risk can be mitigated by using root or whichever user usually edits those files.

The user names for an Apache instance are usually something like www-run www-data or apache.

Alexander Otavka
  • 948
  • 1
  • 7
  • 10
Thomas Berger
  • 1,860
  • 13
  • 26
  • The original owner+group of the files in /var/www were root+apache and 6226+6226... – xtian Aug 20 '11 at 14:48
  • @xtian then change the ownership back to at least the apache group – Thomas Berger Aug 20 '11 at 14:53
  • Your comment suggest `apache` files should never be owned by root. Yet my server works with these files as root. The group is user "apache"--I've never changed it, nor do I care to. Maybe it would be clearer what I'm asking if the question read, "Can Apache's root server pages (`www-run` `www-data` `apache`) be *owned* by any user and still *function*?" – xtian Aug 20 '11 at 18:42
  • There is no security risk in having apache files owned by root, but it is far more practical to have them owned by a regular user so that you don't need special privileges to work on your files. – ccpizza Sep 28 '17 at 22:05