0

My server is centos 7,with php 5.4,apache 2.4. My website locate in /var/www.

As for apache is the only one user read or write in /var/www,I set all files and folders owner and group to apache:

For the folders and files read only:-r------- 1 apache apache 922 Jun 3 2014 connect.php
For the files need to be write:-rw------- 1 apache apache 922 Jun 3 2014 connect.php
Which means only 600 or 400 for files permission.(*.php need not x permission)
As to folders permission, only 500 or 700.

This should be the best practice, because provide permission as little ad possible.
Is there any security issue?

kittygirl
  • 1,025
  • 5
  • 18
  • 36

1 Answers1

6

No, this is not best practice. The user that apache runs as should not own any files or directories. This user should have only read access to anything, and especially to executable files, such as *.php, unless write access is specifically needed for a particular case, such as an uploads directory.

The reason for this is quite simple: If an attacker is able to find an exploit allowing them to execute their own code in the web server's process, then they are able to write to any files the web server can write to. If the web server has write access to the executable files, then this means they can change the executables to do whatever the attacker chooses, whenever a user accesses the corresponding URLs. Even if they only have write access to non-executable files (e.g., *.html), this gives them control of the content sent to your site's users, including the ability to send malicious javascript or embedded content to them.

Making the files owned by the web server user with chmod 400 is no better, as the user who owns a file can change its permission at will to give themselves write access.

Dave Sherohman
  • 1,849
  • 1
  • 13
  • 16