SEO

Hi,

After installing phplmyadmin and adding it with webapp-config to the
default vhost, located in /var/www/localhost/htdocs, I noticed that the
permissions from /var/www were root:root 0755.

This means that for example
/var/www/localhost/htdocs/phpmyadmin/config.default.php is readable by
world, and since this contain a password used to connect as the pma user
to MySQL, and is potentially dangerous.

So I made apache:apache the recursive owner of /var/www and also
chmodded it with -R 2700.

Is this the standard way or are there better ways?

Thanks,

Wimmy

Wim Cossement wrote:
> Hi,
>
> After installing phplmyadmin and adding it with webapp-config to the
> default vhost, located in /var/www/localhost/htdocs, I noticed that the
> permissions from /var/www were root:root 0755.
>
> This means that for example
> /var/www/localhost/htdocs/phpmyadmin/config.default.php is readable by
> world, and since this contain a password used to connect as the pma user
> to MySQL, and is potentially dangerous.
>
> So I made apache:apache the recursive owner of /var/www and also
> chmodded it with -R 2700.
>
> Is this the standard way or are there better ways?

I'm not that much for using webapp-config, I usually let it have it's
defaults, and I get everything installed in /var/www, thereafter I always move
things where I want them to be and set a restrictive file privileges, so that
only apache has the rights in a similar way as you have done. This give more
control for me IMHO. As I don't use phpmyadmin (much more fun to sue the
console tools), so I don't know if it needs a directory that is less secure,
there are some apps that needs this to work as they are designed, so I do
suggest you take a look at the documentation, and modify the privileges if
needed. By the way, you don't need to set execution privilege for the php
files, for them 6 is more than enough (directories will need it set). I do
avoid to set execute privileges on files that don't need it.


//Aho

Giving apache write access is a bad idea and unnessecery, normally I'd
keep all files in /var/www/* root:apache 0640 as even with php scripts
apache only needs read access to the files to feed them into the php
engine.. The rationale for this is simple, imagine someone compromised
your apache server, if apache has write access a malicious script could
be planted to dig for further information about your system leading to a
greater breach.

Hope this helps.

Wim Cossement wrote:
> Hi,
>
> After installing phplmyadmin and adding it with webapp-config to the
> default vhost, located in /var/www/localhost/htdocs, I noticed that the
> permissions from /var/www were root:root 0755.
>
> This means that for example
> /var/www/localhost/htdocs/phpmyadmin/config.default.php is readable by
> world, and since this contain a password used to connect as the pma user
> to MySQL, and is potentially dangerous.
>
> So I made apache:apache the recursive owner of /var/www and also
> chmodded it with -R 2700.
>
> Is this the standard way or are there better ways?
>
> Thanks,
>
> Wimmy

Wim Cossement wrote:
> Hi,
>
> After installing phplmyadmin and adding it with webapp-config to the
> default vhost, located in /var/www/localhost/htdocs, I noticed that the
> permissions from /var/www were root:root 0755.
>
> This means that for example
> /var/www/localhost/htdocs/phpmyadmin/config.default.php is readable by
> world, and since this contain a password used to connect as the pma user
> to MySQL, and is potentially dangerous.
>
> So I made apache:apache the recursive owner of /var/www and also
> chmodded it with -R 2700.
>
> Is this the standard way or are there better ways?
>
> Thanks,
>
> Wimmy

Thanks for both tips, I aready took the x from all my PHP files, but the
second suggestion about changing the all files in /var/www/ to
root:apache 0640 does not do the trick, I always get a 403 error when I
tried this.

This seems unlogical too me, since apache runs as apache:apache so it
shoud be able to get me the files since the group can read them.

What am I missing?

Regards,

Wimmy

Wim Cossement wrote:

> Thanks for both tips, I aready took the x from all my PHP files, but the
> second suggestion about changing the all files in /var/www/ to
> root:apache 0640 does not do the trick, I always get a 403 error when I
> tried this.
>
> This seems unlogical too me, since apache runs as apache:apache so it
> shoud be able to get me the files since the group can read them.


The files should be owned by apache and not root, as this leads to that apache
may not have the right to read the file in question.

//Aho

J.O. Aho <user@example.net> wrote:
> Wim Cossement wrote:
>
>> Thanks for both tips, I aready took the x from all my PHP files, but
>> the second suggestion about changing the all files in /var/www/ to
>> root:apache 0640 does not do the trick, I always get a 403 error
>> when I tried this.
>>
>> This seems unlogical too me, since apache runs as apache:apache so it
>> shoud be able to get me the files since the group can read them.
>
> The files should be owned by apache and not root, as this leads to
> that apache may not have the right to read the file in question.

If apache is in the group apache, it will be allowed to read any files
that's root:apache 0640. (Assuming the parent directories are 0750 or
otherwise give rx access to the apache group, of course.)

The problem is likely either of:
- The PHP programs in question demand *write* access, in which case
it's an insecure abomination that should be uninstalled and have all
traces wiped as fast as possible.
- The PHP programs run as a different user ID than the web server
(which is a good thing), and this userid is not member of the apache
group.

Regards,
--
*Art

Wim Cossement wrote:
> Wim Cossement wrote:
>
>> Hi,
>>
>> After installing phplmyadmin and adding it with webapp-config to the
>> default vhost, located in /var/www/localhost/htdocs, I noticed that
>> the permissions from /var/www were root:root 0755.
>>
>> This means that for example
>> /var/www/localhost/htdocs/phpmyadmin/config.default.php is readable by
>> world, and since this contain a password used to connect as the pma
>> user to MySQL, and is potentially dangerous.
>>
>> So I made apache:apache the recursive owner of /var/www and also
>> chmodded it with -R 2700.
>>
>> Is this the standard way or are there better ways?
>>
>> Thanks,
>>
>> Wimmy
>
>
> Thanks for both tips, I aready took the x from all my PHP files, but the
> second suggestion about changing the all files in /var/www/ to
> root:apache 0640 does not do the trick, I always get a 403 error when I
> tried this.
>
> This seems unlogical too me, since apache runs as apache:apache so it
> shoud be able to get me the files since the group can read them.
>
> What am I missing?
>
> Regards,
>
> Wimmy

If you did a recursive ch{own,grp,mod} -R root:apache 640, then the
folders inside wont have the 'x' access flag, fix the folders and the
scripts should function.

Arthur Hagen wrote:
> J.O. Aho <user@example.net> wrote:
>> Wim Cossement wrote:
>>
>>> Thanks for both tips, I aready took the x from all my PHP files, but
>>> the second suggestion about changing the all files in /var/www/ to
>>> root:apache 0640 does not do the trick, I always get a 403 error
>>> when I tried this.
>>>
>>> This seems unlogical too me, since apache runs as apache:apache so it
>>> shoud be able to get me the files since the group can read them.
>> The files should be owned by apache and not root, as this leads to
>> that apache may not have the right to read the file in question.
>
> If apache is in the group apache, it will be allowed to read any files
> that's root:apache 0640. (Assuming the parent directories are 0750 or
> otherwise give rx access to the apache group, of course.)

Even so, there are scripts that checks ownership and privileges, which makes
them to not work properly even if apache group would be able to read them.

Of course that wasn't the case Wim's post here.


//Aho