Jump to content
Sign in to follow this  
anyweb

set correct permissions on your apache files

Recommended Posts

the easy way

 

as root cd to the 'document root path' of your apache server and do as follows

 

find . -type f -exec chmod 644 {} \; && find . -type d -exec chmod 755 {} \;

 

this sets all your files to 644 and all your directories to 755

 

for example,

 

cd /usr/local/apache/website/mystuff

find . -type f -exec chmod 644 {} \; && find . -type d -exec chmod 755 {} \;

 

cheers

 

anyweb

Edited by anyweb
  • Like 5
  • Thanks 1

Share this post


Link to post
Share on other sites

i used this command to chmod apache folder, but somehow my forums has error

 

hi everyone

 

my forums have this proplem:

 

 

--------------------------------------------------------------------------------

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@mysite.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

--------------------------------------------------------------------------------

i try to restart apache, but it tells me that server error
--------------------------------------------------------------------------------

 

root@myhost [/usr/local]# service httpd restart

/etc/init.d/httpd restart: configuration broken, ignoring restart

/etc/init.d/httpd restart: (run 'apachectl configtest' for details)

 

--------------------------------------------------------------------------------

 

 

then i run config for detail:

 

--------------------------------------------------------------------------------

 

root@myhost [/usr/local]# /etc/init.d/httpd configtest

/etc/init.d/httpd: line 175: /usr/local/apache/bin/httpd: Permission denied

 

--------------------------------------------------------------------------------

 

 

Any idea? thanks

 

p/s: I think the apache folder has proplem with chmod, what should i do to make it go back normal ? Other website html...etc. just work fine, but only forums has the proplem

  • Confused 1

Share this post


Link to post
Share on other sites
i used this command to chmod apache folder, but somehow my forums has error

 

most forums use caches that require the ability for the server to write to the directories. the permissions from above that anyweb quoted will not give them to it.

 

unfortunately without more information about the type of forum i can't really tell you the permissions you'll need to set.

 

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@mysite.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

 

More information about this error may be available in the server error log.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

OK so that looks like the server dislikes something.. not the forum. maybe this is related to the htaccess / server config files ? also it points out the fact that the error document doesn't exist

 

root@myhost [/usr/local]# service httpd restart

/etc/init.d/httpd restart: configuration broken, ignoring restart

/etc/init.d/httpd restart: (run 'apachectl configtest' for details)

root@myhost [/usr/local]# /etc/init.d/httpd configtest

/etc/init.d/httpd: line 175: /usr/local/apache/bin/httpd: Permission denied

 

OK again something more has happened to your system. the permissions alterations that anyweb suggested would not this...

 

OH wait.. i see it... OK i know what the problem is now I think.

 

did you run the command that anyweb suggested from /usr/local, if so this is the problem. i think you have stripped the executable permissions from your server.

 

try:

# chmod 755 /usr/local/apache/bin/*

 

p/s: I think the apache folder has proplem with chmod, what should i do to make it go back normal ? Other website html...etc. just work fine, but only forums has the proplem

 

yeah... the difficulty here is understand what anyweb meant when he said:

 

as root cd to the 'path' of your apache server and do as follows

 

What he meant was cd into the document root for your web server. this is defined inside the configuration file for apache. a quick:

 

# grep -i documentroot apache2.conf
DocumentRoot /var/www/localhost/htdocs

 

So you would need to cd into that directory before committing anyweb's commands.

 

if you are running a forum however certain extra permissions maybe required on certain directories to allow the server to write to that directory/file, most of the installation documentation will indicate this for you.

Share this post


Link to post
Share on other sites

One final point in terms of security...

 

Apache usually runs under a non-privileged account (httpd, www-data, etc - depending upon your distro) so this account needs:

  1. read access to any website content
  2. read and execute access to any website directories (execute priv = directory traversal permission)
  3. write access to any directories that it needs to amend content in (eg: caches, config dirs, upload dirs).

 

The first two are quite easy: chmod 644 on any files and 755 on any directories and you're away. However, this also means that anyone else on the server can access website content, meaning they could be exposed to confidential information (such as database credentials, backdoor passwords, etc).

 

Rather than set the content world-readable, two alternative options are:

  1. set the GROUP of the files/directories to match the group of the webserver account (www-data or the httpd group) then set file permissions to 640 and dirs to 750
  2. Install suPHP on Apache, and set the content back to owner-only accessible.

 

The first is probably a quick and dirty method of doing it, but restricts the content to read/write for owner and read-only for Apache (and nothing for anyone else), thus preventing anyone outside of the website owner and apache to access that content.

 

The second is preferable - it makes Apache perform a "su" to the website owner, accessing it as though it owned the content. This means that all cache data and config files just need to be read/writeable by the owner - no messing about with allowing apache groups or world read-access.

 

So why not go for that latter option all the time? There are some downsides:

  • it requires some configuration at the Apache end, in particular a custom php.ini file per-site
  • it requires setting file/dir permissions carefully, since suPHP will abort serving up content if the mode (owner/group/permissions) do not exactly match that in the suphp config file
  • there is an additional processing overhead (apache needs to keep switching user prior to accessing/delivering content) which can impact busy sites.

 

The alternative is that you set all content to 777 and not worry about it, which is what a lot of new web administrators do. And then they wonder how they got cracked, why they're serving up trojans and exploits on their websites, and how their server has become part of a spam-spewing botnet. I'm afraid "but I didn't know" isn't an adequate defence. "But I didn't research and thus permitted something easily exploitable to be let loose on the internet" is more accurate.

 

Practise safe web administration, people. You know it makes sense!

  • Thanks 1

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...