Apache Permissions on ServerRoot Directories

Apache Permissions on ServerRoot Directories

In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

• mkdir /usr/local/apache
• cd /usr/local/apache
• mkdir bin conf logs
• chown 0 . bin conf logs
• chgrp 0 . bin conf logs
• chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

• cp httpd /usr/local/apache/bin
• chown 0 /usr/local/apache/bin/httpd
• chgrp 0 /usr/local/apache/bin/httpd
• chmod 511 /usr/local/apache/bin/httpd

You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. If the logs directory is writable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

Ubuntu Help > Ubuntu 10.04 / Apache2