[Gllug] Apache web root permissions
Walter Stanish
walter.stanish at saffrondigital.com
Fri Nov 27 11:01:59 UTC 2009
> I have a site running drupal. The apache user therefore needs to be
> able to write certain files (CSS files for example).
If it's possible to perform any requisite configuration (I suspect
this write permission is used to support web-based upload of templates...
I'm not that familiar with drupal) then remove permissions once
configuration has been made, it is theoretically more secure than
leaving write access around indefinitely.
> I also have a directory under my web root which is a SAN mount, to
> which apache must be able to write.
Whether it's a SAN mount or not shouldn't cause great problems, assuming
the SAN has filesystem permissions compatible with your local users.
If not, then I would mount only the section of the SAN filesystem
you need with appropriate permission changes (ie: group = apache user)
to preserve security on other shared directories.
> What is the most secure way to implement this?
There's always more you can do, but your suggestion is a fairly
common deployment strategy on lots of hosts.
If you want to go a bit more elaborate, you can also do things like:
- running apache just for this site under a dedicated username,
therefore prohibiting write by other web applications (if vhosting)
- running apache chroot and 'bind' mounting the requisite directories
in to the included directory structure
- running apache in a vserver (fast) or vm (slow), and bind-mounting
or sharing (respectively) any required directories across from the
host machine
Other common web server security strategies:
- limiting compiled in PHP features
- add one or more kernel security patches (SEL, grsecurity, etc.)
- disabling any additional services
- running any remote login services (SSH) on non-standard ports
to prevent constant dictionary attacks
Really security decisions need to be based on your wider system
configuration and expectations for the future.
- Walter
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list