Apache 'conf' and 'html' permissions?

[rjb25]

I am currently running the Apache webserver under Linux RedHat and am relatively new to the whole thing so please bear with me....

I would sincerely appreciate your recommendations as to:

1) Which user/group (e.g. apache) should own the "etc/httpd/conf/" and "var/www/html" folders and sub-contents?
2) What are the appropriate permissions (chmod nnn?) for the named user/group?

If it makes any difference, I am using basic authentication over SSL and all associated certificate/password files are stored in the conf directory.

Thanks in advance.


Rob.

[jasonlambert]

1) /etc/httpd/conf & /var/www/html/ should be owned by the apache user. The user that Apache runs under will be in the httpd.conf file (search for "User" IIRC). The line below will say what group it runs under. Once you have this info, it would be "chown nobody:nobody /var/www/html" for example, if the user:group were nobody and nobody. (chown is change ownership). All that said, the folder can be owned by any user/group you want, as long as apache has at least read access to it.
2) Depends on what you are going to do with the folder. Have a look in the Tutorials section, near the bottom there is a list of common chmods.

Jason

[rjb25]

Thanks for your response...

My webserver is running as user:apache and group:apache and so I had previously assigned ownership using the chown and chgrp commands. You have confirmed this decision makes sense. Thanks.

My plan is to serve plain content (html pages and images) across my LAN without any fancy interaction (e.g. uploads etc.). To achieve this, I understand that Apache will require read (chmod 400) access (at least) to the 'conf' and 'www' directories. However, basic authentication over SSL only appears to work when set to read + execute (chmod 500). I've been advised that this (eXecute) 'is wrong' and that the directories and contents should only be read. Do you agree with this? and why might it not be working?

I include the relevant portion from my http.conf file below:

Code:

#Load SSL module
LoadModule ssl_module modules/mod_ssl.so

#Listen for incoming connections on port 443 (SSL)
Listen 146.87.95.51:443

#Added Virtual Host (SSL)
<VirtualHost 146.87.95.51&#58;443>
	DocumentRoot /var/www/html/secure/
	ServerName 146.87.95.51
	NameVirtualHost 146.87.95.51&#58;443
	SSLEngine on
	SSLCertificateFile /etc/httpd/conf/servercert.pem
	SSLCertificateKeyFile /etc/httpd/conf/privkey.pem
	SSLCertificateChainFile /etc/httpd/conf/cacert.pem
</VirtualHost>

#Added Secure Directory
<Directory /var/www/html/secure/>
	SSLRequireSSL
	AuthType Basic
	AuthName "Restricted Files"
	AuthUserFile /etc/httpd/conf/.passwords
	Require valid-user
</Directory>

If you feel you can help, I'd be most greatful.

Regards,



Rob.

[jasonlambert]

My plan is to serve plain content (html pages and images) across my LAN without any fancy interaction (e.g. uploads etc.). To achieve this, I understand that Apache will require read (chmod 400) access (at least) to the 'conf' and 'www' directories. However, basic authentication over SSL only appears to work when set to read + execute (chmod 500). I've been advised that this (eXecute) 'is wrong' and that the directories and contents should only be read. Do you agree with this? and why might it not be working?

Unfortunatly, ive never really worked with Apache Authentication or SSL in Apache before, so i am not really best placed to help further, sorry

Jason

[rjb25]

Thanks Jason...

Through testing etc, I've come to some sort of conclusion which I thought may be useful to share.

Owner & Group Ownership
As we acknowledged, both the 'conf' and 'html' directories must be owned by the same user/group accounts as stated in the Apache configuration file (httpd.conf). To do this, you may use the GUI right-click > properties menu (e.g. in KDE Konquerer), or by executing the following commands at the terminal console:

Code:

# Change owner & group ownership of 'conf' directory (and contents)
chown apache /etc/httpd/conf -R 
chgrp apache /etc/httpd/conf -R 

# Change owner & group ownership of 'html' directory (and contents)
chown apache /var/www/html -R  
chgrp apache /var/www/html -R

Directory/File Permissions
Having assigned ownership of the directories and files to the appropriate user/group accounts, it must be decided what is a suitible level of access (e.g. read/write/execute for owner/group/others). This is quite an important decision as the last thing we want is for unauthorised users (local or remote) to manipulate/copy/delete our configuration files or web content.

'html' directory

Since the intended scenario does not require the ability to upload/delete files on the web server ('html' dir) from a remote client browser, it logically follows that the permissions should be 'read only'. However, since Linux carries the concept of user/group/other specific permissions, it must be decided to whom 'read-only' access will be granted (i.e. just the user, the whole group, or anyone else).

As all web maintenance etc is to be performed within the context of the system 'root' user account (who by implication has full access to all files), there is no need to provide anyone else other than the Apache user account with access. The Apache group doesn't really even need to have access.

Based on the above considerations, I feel the 'html' directory should be configured as follows:

Code:

# Assign read-only access to the 'html' directory (and sub-contents) for the file owner (Apache)
chmod 400 /var/www/html -R

'conf' directory

Assuming you have configured Apache to store its log files outside the 'conf' directory (or not at all), the Apache user acount should only need read access to 'conf'. Think about it...To apply the configuration settings from the 'httpd.conf' file and use password/certificate files etc, all Apache has to do is read the relevant files; it doesn't have to change/delete/create them. And again, the Apache user account should be the only user/group/account that requires this access. Based on the above considerations, I assigned the following permissions to my 'conf' directory:

Code:

# Assign read-only access to the 'conf' directory (and sub-contents) for the file owner (Apache)
chmod 400 /etc/httpd/conf -R

Since the 'conf' directory is outside of the webserver's document root ('html'), any remote users operating under the Apache account would not be able to read/manipulate its contents.


The Quirk
Now, this is the part that had me baffled...It had pretty much all made sense up to this point, but it still didn't work.

Essentially, it boils down to this...In order to use certificate/password files etc from the 'conf' directory, the Apache user account has to be able to 'enter' the directory before being able to 'read' its contents. By adding this permission using the command below, I was one step nearer to solving the problem.

Code:

# Assign read + enter permissions to directory owner 
chmod 500 /etc/httpd/conf

# note the absence of '-R' (recursive) -> Sub-contents still only have read access

At this stage, the secure service still wasn't working so I applied the above logic to the 'html' directory. In order to 'read' and return web content to the client browser, the Apache user account (dir owner) would need to be able to 'enter' the 'html' directory first. The following permissions were assigned:

Code:

# Assign read + enter permissions to directory owner 
chmod 500 /var/www/html

# Again, note the absence of '-R' (recursive) -> Sub-contents still only have read access

Conclusion
This solved the problem and I now have reasonable confidence in the user/group ownership/permissions assigned.

Quite an interesting puzzle, and I may still have it wrong. At the moment, however, it seems sensible???


Regards,


Rob.

[rjb25]

So the lesson is...

Directories need read+enter access, whilst files only need read.



Rob.

[Giro]

Your permissions for ur html files should be chmod 644 other wise no one could access ur html files from the web cause only you can read the. And i dont get 500 why do you need execute permissions?