Discuss: Securing Apache Web Servers
by Siddharth Anbalahan
Which is the best approch to run securely a web application which use apache web server, Tomcat and postgre on linux i.e. as non-root user?
I believe there is a problem with your recommended file permisions for the htdocs directory:
chown -R apache.webdev /var/htdocs
chmod -R 2570 /var/htdocs
Here\'s the problem. Let\'s say webmaster (a member of webdev) places a new html file in the htdocs dir. The new file is owned by webmaster and not apache and apache is not a member of the group webdev based an earlier recomendation. Now apache is unable to serve up the file - at least until ownership is changed to apache.
Am I missing something?
Thanks! Great site!
John
Apache should be able to render any new files created in htdocs directory, as by default the permissions set on newly created files are Owner=Read/Write, Group=Read/Write,Other=Read(rw_rw_r__), since Other(all other users) has Read permission apache server process will still be able to render this file.
However as a result of the above permissions, the source code of these web pages would be readable by all users, hence as recommended by the article, it is safer to change the file permissions of newly developed web pages such that only members of webdev group can Read/Write the files and set apache user as the owner of these files with only Read permission.