If Apache is to work properly, it’s important to correctly set the file-access permissions. In Unix systems, there are three kinds of permissions: read, write , and execute. They attach to each object in three levels: user, group, and other or “rest of the world.” If you have installed the demonstration sites, go to ... /site.cgi/htdocs, and type:
% ls -lYou see:
-rw-rw-r-- 5 root bin 1575 Aug 15 07:45 form_summer.html
The
first - indicates that this is a regular file. It
is followed by three permission fields, each of three characters.
They mean, in this case:
root
)
Read yes, write yes, execute no
bin
)
Read yes, write yes, execute no
Read yes, write no, execute no
When the permissions apply to a
directory, the x execute permission means
scan: the ability to see the contents and move
down a level.
The permission that interests us is other, because the copy of Apache that tries to access this file belongs to user webuser and group webgroup. These were set up to have no affinities with root and bin, so that copy can gain access only under the other permissions, and the only one set is “read.” Consequently, a Bad Guy who crawls under the cloak of Apache cannot alter or delete our precious form_summer.html; he can only read it.
We can now write a coherent doctrine on permissions. We have set
things up so that everything in our web site, except the data
vulnerable to attack, has owner root and group
wheel. We did this partly because it is a valid
approach, but also because it is the only portable one. The files on
our CD-ROM with owner root and group
wheel have owner and group numbers
0 that translate into similar superuser access on
every machine.
Of course, this only makes sense if the webmaster has root login permission, which we had. You may have to adapt the whole scheme if you do not have root login, and you should perhaps consult your site administrator.
In general, on a web site everything should be owned by a user who is not webuser and a group that is not webgroup (assuming you use these terms for Apache configurations).
There are four kinds of files to which we want to give
webuser access: directories, data, programs, and
shell scripts. webuser must have scan
permissions on all the directories, starting at root down to wherever
the accessible files are. If Apache is to access a directory, that
directory and all in the path must have x
permission set for other. You do this by
entering:
% chmod o+x <
each-directory-in-the-path>To produce a directory listing (if this is required by, say, an index), the final directory must have read permission for other. You do this by typing:
% chmod o+r <
final-directory>It probably should not have write permission set for other:
% chmod o-w <
final-directory>To serve a file as data — and this includes files like .htaccess (see Chapter 3) — the file must have read permission for other:
% chmod o+r
fileAnd, as before, deny write permission:
% chmod o-w <
file>To run a program, the file must have execute permission set for other:
% chmod o+x <
program>To execute a shell script, the file must have read and execute permission set for other:
% chmod o+rx <
script>:For complete safety:
% chmod a=rx <script>If the user is to edit the script, but it is to be safe otherwise:
% chmod u=rwx,og=rx <script>