Find the answer to your Linux question:
Results 1 to 7 of 7
I am currently running the Apache webserver under Linux RedHat and am relatively new to the whole thing so please bear with me.... I would sincerely appreciate your recommendations as ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2003
    Location
    UK, NW
    Posts
    4

    Apache 'conf' and 'html' permissions?


    I am currently running the Apache webserver under Linux RedHat and am relatively new to the whole thing so please bear with me....

    I would sincerely appreciate your recommendations as to:

    1) Which user/group (e.g. apache) should own the "etc/httpd/conf/" and "var/www/html" folders and sub-contents?
    2) What are the appropriate permissions (chmod nnn?) for the named user/group?

    If it makes any difference, I am using basic authentication over SSL and all associated certificate/password files are stored in the conf directory.

    Thanks in advance.


    Rob.

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    1) /etc/httpd/conf & /var/www/html/ should be owned by the apache user. The user that Apache runs under will be in the httpd.conf file (search for "User" IIRC). The line below will say what group it runs under. Once you have this info, it would be "chown nobody:nobody /var/www/html" for example, if the user:group were nobody and nobody. (chown is change ownership). All that said, the folder can be owned by any user/group you want, as long as apache has at least read access to it.
    2) Depends on what you are going to do with the folder. Have a look in the Tutorials section, near the bottom there is a list of common chmods.

    Jason

  3. #3
    Just Joined!
    Join Date
    Dec 2003
    Location
    UK, NW
    Posts
    4
    Thanks for your response...

    My webserver is running as user:apache and group:apache and so I had previously assigned ownership using the chown and chgrp commands. You have confirmed this decision makes sense. Thanks.

    My plan is to serve plain content (html pages and images) across my LAN without any fancy interaction (e.g. uploads etc.). To achieve this, I understand that Apache will require read (chmod 400) access (at least) to the 'conf' and 'www' directories. However, basic authentication over SSL only appears to work when set to read + execute (chmod 500). I've been advised that this (eXecute) 'is wrong' and that the directories and contents should only be read. Do you agree with this? and why might it not be working?

    I include the relevant portion from my http.conf file below:

    Code:
    #Load SSL module
    LoadModule ssl_module modules/mod_ssl.so
    
    #Listen for incoming connections on port 443 (SSL)
    Listen 146.87.95.51:443
    
    #Added Virtual Host (SSL)
    <VirtualHost 146.87.95.51&#58;443>
    	DocumentRoot /var/www/html/secure/
    	ServerName 146.87.95.51
    	NameVirtualHost 146.87.95.51&#58;443
    	SSLEngine on
    	SSLCertificateFile /etc/httpd/conf/servercert.pem
    	SSLCertificateKeyFile /etc/httpd/conf/privkey.pem
    	SSLCertificateChainFile /etc/httpd/conf/cacert.pem
    </VirtualHost>
    
    #Added Secure Directory
    <Directory /var/www/html/secure/>
    	SSLRequireSSL
    	AuthType Basic
    	AuthName "Restricted Files"
    	AuthUserFile /etc/httpd/conf/.passwords
    	Require valid-user
    </Directory>
    If you feel you can help, I'd be most greatful.

    Regards,



    Rob.

  4. #4
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Quote Originally Posted by rjb25
    My plan is to serve plain content (html pages and images) across my LAN without any fancy interaction (e.g. uploads etc.). To achieve this, I understand that Apache will require read (chmod 400) access (at least) to the 'conf' and 'www' directories. However, basic authentication over SSL only appears to work when set to read + execute (chmod 500). I've been advised that this (eXecute) 'is wrong' and that the directories and contents should only be read. Do you agree with this? and why might it not be working?
    Unfortunatly, ive never really worked with Apache Authentication or SSL in Apache before, so i am not really best placed to help further, sorry

    Jason

  5. #5
    Just Joined!
    Join Date
    Dec 2003
    Location
    UK, NW
    Posts
    4
    Thanks Jason...

    Through testing etc, I've come to some sort of conclusion which I thought may be useful to share.

    Owner & Group Ownership
    As we acknowledged, both the 'conf' and 'html' directories must be owned by the same user/group accounts as stated in the Apache configuration file (httpd.conf). To do this, you may use the GUI right-click > properties menu (e.g. in KDE Konquerer), or by executing the following commands at the terminal console:


    Code:
    # Change owner & group ownership of 'conf' directory &#40;and contents&#41;
    chown apache /etc/httpd/conf -R 
    chgrp apache /etc/httpd/conf -R 
    
    # Change owner & group ownership of 'html' directory &#40;and contents&#41;
    chown apache /var/www/html -R  
    chgrp apache /var/www/html -R

    Directory/File Permissions
    Having assigned ownership of the directories and files to the appropriate user/group accounts, it must be decided what is a suitible level of access (e.g. read/write/execute for owner/group/others). This is quite an important decision as the last thing we want is for unauthorised users (local or remote) to manipulate/copy/delete our configuration files or web content.

    'html' directory

    Since the intended scenario does not require the ability to upload/delete files on the web server ('html' dir) from a remote client browser, it logically follows that the permissions should be 'read only'. However, since Linux carries the concept of user/group/other specific permissions, it must be decided to whom 'read-only' access will be granted (i.e. just the user, the whole group, or anyone else).

    As all web maintenance etc is to be performed within the context of the system 'root' user account (who by implication has full access to all files), there is no need to provide anyone else other than the Apache user account with access. The Apache group doesn't really even need to have access.

    Based on the above considerations, I feel the 'html' directory should be configured as follows:

    Code:
    # Assign read-only access to the 'html' directory &#40;and sub-contents&#41; for the file owner &#40;Apache&#41;
    chmod 400 /var/www/html -R
    'conf' directory

    Assuming you have configured Apache to store its log files outside the 'conf' directory (or not at all), the Apache user acount should only need read access to 'conf'. Think about it...To apply the configuration settings from the 'httpd.conf' file and use password/certificate files etc, all Apache has to do is read the relevant files; it doesn't have to change/delete/create them. And again, the Apache user account should be the only user/group/account that requires this access. Based on the above considerations, I assigned the following permissions to my 'conf' directory:


    Code:
    # Assign read-only access to the 'conf' directory &#40;and sub-contents&#41; for the file owner &#40;Apache&#41;
    chmod 400 /etc/httpd/conf -R
    Since the 'conf' directory is outside of the webserver's document root ('html'), any remote users operating under the Apache account would not be able to read/manipulate its contents.


    The Quirk
    Now, this is the part that had me baffled...It had pretty much all made sense up to this point, but it still didn't work.

    Essentially, it boils down to this...In order to use certificate/password files etc from the 'conf' directory, the Apache user account has to be able to 'enter' the directory before being able to 'read' its contents. By adding this permission using the command below, I was one step nearer to solving the problem.

    Code:
    # Assign read + enter permissions to directory owner 
    chmod 500 /etc/httpd/conf
    
    # note the absence of '-R' &#40;recursive&#41; -> Sub-contents still only have read access
    At this stage, the secure service still wasn't working so I applied the above logic to the 'html' directory. In order to 'read' and return web content to the client browser, the Apache user account (dir owner) would need to be able to 'enter' the 'html' directory first. The following permissions were assigned:

    Code:
    # Assign read + enter permissions to directory owner 
    chmod 500 /var/www/html
    
    # Again, note the absence of '-R' &#40;recursive&#41; -> Sub-contents still only have read access

    Conclusion
    This solved the problem and I now have reasonable confidence in the user/group ownership/permissions assigned.

    Quite an interesting puzzle, and I may still have it wrong. At the moment, however, it seems sensible???


    Regards,


    Rob.

  6. #6
    Just Joined!
    Join Date
    Dec 2003
    Location
    UK, NW
    Posts
    4
    So the lesson is...

    Directories need read+enter access, whilst files only need read.



    Rob.

  7. #7
    Linux Engineer Giro's Avatar
    Join Date
    Jul 2003
    Location
    England
    Posts
    1,219
    Your permissions for ur html files should be chmod 644 other wise no one could access ur html files from the web cause only you can read the. And i dont get 500 why do you need execute permissions?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •