Darrel wrote: > http://openbsd.rt.fm/faq/faq10.html#httpdchroot > > Per the heading 'What is a chroot?', I plan to change the owner of all > the files in the /var/www directory as read-only by User www. Should > the group of directories and files be changed to www as well? At the > moment, all of the files are owned by root and the groups are either > bin or daemon in /var/www.
The question isn't who owns the files, the question is, who can WRITE to the files. IF the user www can write to the files, a compromise in the web server software or a web application can result in someone you don't wish being able to alter your website. The files should be owned by someone who can do maintenance on the site. > I plan to implement cgi. which means you probably (though not certainly) have an app which requires the ability to write to files. If that is true, that means you have negated at least some of the benefit of chrooting. You may have to pull some tools into the chroot, that will also negate more of the benefit of chrooting. At some point, you may do enough damage to the chroot idea, it might not be worth fighting with anymore. As mentioned in the article you cite, "Not every application can or should be chroot(2)ed." Don't break things unnecessarily, but don't force things that don't fit the chroot idea into a chroot. Nick.
