Le 23/12/2013 15:30, Raffaele Morelli a écrit :
2013/12/14 Lukasz Szybalski <szybal...@gmail.com
<mailto:szybal...@gmail.com>>
[...]
root should not own files served by apache for any reason, that's
really "dangerous"!
you should never do that...
Excuse-me, but I think you're wrong.
The only reason I see where a file served by a web server must not be
root is if it's suid and the web server has the rights to write to it
(by the group membership).
As a security measure, I preach the opposite : all files are root (or
another user, not used by the web server).
For the directories and files that have to be modified by the
application and so by the web server, I use a group membership
(www-data) with write privileges for the group.
Like this, if someone find a hole in the web app, it can make it execute
something with the user running the web server, and can not write to the
files served by the web server (except those specified above, using the
group www-data).
And so, it can not modify application files (php scripts...) and make it
do what they want (send spam, propagate...).
