Web Site permissions

[LinuxRocks]

Hey all,

I have a simple question. I have set up a web site for myself that has basic HTML files, a forum, and a document shareing facility. Now, I have set the permissions on the web root to 750 (apache:apache). Is that safe to have the permissions set that way? On certian config files, I have the permissions set to 640.

Thanks for any advice...

Joe

[YetiChick]

Safe is such a relative term...

Personally, to fit my own idea of 'safe', I never give the webserver user (apache, nobody, whatever) write access to anything it doesn't absolutely need to write (such as an upload folder). If apache turns out to have a previously undiscovered bug that allows access to your machine as that user then a web root with 750 permissions is going to have some interesting stuff in it pretty soon. I prefer to have tighter permissions by default, loosening them as needed. You can do it the other way around - leave relatively relaxed permissions and make individual files and directories more secure - but it requires more care.

Finally, the amount of work and time you put into security should be proportional to the value of what you want to secure. If you have nothing of value, a defacement wouldn't be a big deal and it's significantly more convenient to have lax permissions... Well, it's up to you to take the risk. Just think about it first.

Also, keep in mind that even if your own data isn't that valuable a machine compromise could allow someone to do nasty stuff to others from your machine. Even if you don't care about the stuff you have on your own machine, give some thought to what the apache user could do if that account belonged to someone malicious.