Results 1 to 4 of 4

Thread: set folder permission to allow apache write access

  1. #1
    Junior Member Newbie
    Join Date
    Jan 2007
    Posts
    13

    Default set folder permission to allow apache write access

    Hi,
    I have a question about the most secure way to set a folder's permissions so that the server can write files in it.

    I've created a folder in my document root directory, but I've had to set the permissions to:
    drwxrwxrwx
    In order for the apache server to be able to write new files to the directory (the document owner appears as "apache"). Is having a directory that is rwx by the public secure? Should I instead try to add the "apache" user to some kind of unix group and then set the permissions to:
    drwxrwxr-x

    As you can see from my prior postings I'm new to this and any help would be appreciated!! Thanks,
    Dave

  2. #2
    Former Employee Power Poster
    Join Date
    Apr 2005
    Location
    Seattle, WA
    Posts
    140

    Default

    Having a directory which is world writable is not a good idea as it does pose security risks. In fact, allowing uploading of files via the web is a security risk which could potentially lead to compromising of your server. Because the files are being owned as apache, you are most likely using PHP. PHP executes with the same permissions as the apache server, thus only if the directory is owned by the apache server's user/group can you upload through the web.

    You may however wish to look into installing a program called suPHP. This program provides the same benefits as the normal SUExec apache module. PHP pages will run as the website's user instead of as the server's user. Thus you will be able to write to a directory under your website without having to change the ownership. In the event that your server does become compromised by someone uploading files to /tmp or /var/tmp, those files will be owned by the vulnerable website's user; thus you know which site to investigate.
    Last edited by spry-jd; 03-09-2007 at 12:39 PM.

  3. #3
    Junior Member Newbie
    Join Date
    Jan 2007
    Posts
    13

    Default

    Okay, I just set the folder owner to apache with:

    chown apache myFolder

    and set the permissions to:

    drwxr-xr-x

    I think that should suffice for my purposes.

  4. #4
    Former employee Newbie
    Join Date
    Jul 2006
    Posts
    57

    Default

    If you wish to audit the file and folder permissions on your server, then you may want to look into using the "find" command. The following command will search for folders that are world writable:

    find / -type d -perm -002

    And the following command will search for files that are world writable:

    find / -type f -perm -002

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •