0

My server is centos 7,with php 5.4,apache 2.4. My website locate in /var/www.

As for apache is the only one user read or write in /var/www,I set all files and folders owner and group to apache:

For the folders and files read only:-r------- 1 apache apache 922 Jun 3 2014 connect.php
For the files need to be write:-rw------- 1 apache apache 922 Jun 3 2014 connect.php
Which means only 600 or 400 for files permission.(*.php need not x permission)
As to folders permission, only 500 or 700.

This should be the best practice, because provide permission as little ad possible.
Is there any security issue?

kittygirl
  • 855
  • 4
  • 10
  • 29
  • @JennyD,different question.I am asking `security issue`. – kittygirl Jan 24 '19 at 08:09
  • 1
    As a rule of thumb, it's considered acceptable to close as duplicate if the *answers* to the other question also answer yours, even if the *question* isn't quite the same. – Jenny D Jan 24 '19 at 08:20
  • @JennyD,which other answer also answer my question?I could not find any. – kittygirl Jan 24 '19 at 08:26
  • 2
    The fact that the UID of the web server is the owner of your web content means that a vulnerability / exploit in your either the webserver or more likely your PHP code will allow an attacker to modify all content (the owner of files can simply changes their permissions with `chmod` so making the files read-only is only a minor inconvenience) so what you propose is generally considered a bad idea. – HBruijn Jan 24 '19 at 08:27
  • 1
    The accepted answer is quite long and contains information about security issues. So do a few of the others. – Jenny D Jan 24 '19 at 08:32
  • @HBruijn,How about `----r----- 1 webuser apache 1757 Jun 3 2018 index.php`?Deprive any permission of owner,left only `apache` group permission. – kittygirl Jan 24 '19 at 13:43

1 Answers1

6

No, this is not best practice. The user that apache runs as should not own any files or directories. This user should have only read access to anything, and especially to executable files, such as *.php, unless write access is specifically needed for a particular case, such as an uploads directory.

The reason for this is quite simple: If an attacker is able to find an exploit allowing them to execute their own code in the web server's process, then they are able to write to any files the web server can write to. If the web server has write access to the executable files, then this means they can change the executables to do whatever the attacker chooses, whenever a user accesses the corresponding URLs. Even if they only have write access to non-executable files (e.g., *.html), this gives them control of the content sent to your site's users, including the ability to send malicious javascript or embedded content to them.

Making the files owned by the web server user with chmod 400 is no better, as the user who owns a file can change its permission at will to give themselves write access.

Dave Sherohman
  • 1,661
  • 1
  • 11
  • 16
  • We cannot eradicate `apache` has `write` permission, because almost all websites have `upload` folders. For example, I upload avatar to stackoverflow, I can also change my avatar. – kittygirl Jan 24 '19 at 08:37
  • @kittygirl - You're still able to make apache the owner of _only_ the upload directories and give write access _only_ for those directories. If it owns everything, then a successful exploit will allow the attacker to overwrite _everything_. Much better to limit the damage to just the uploads, no? – Dave Sherohman Jan 24 '19 at 09:08
  • How about `----r----- 1 webuser apache 1757 Jun 3 2018 index.php`?Deprive any permission of owner,left only `apache` group permission. – kittygirl Jan 24 '19 at 13:42