"Those are symlinks. Under Linux, symlinks are (almost) always 777."<br>Shit. That's right.<br><br>"My rule of thumb is have any file/directory that that apache does not<br>need to write to be owned "ANY" user other then apache."
<br><br>Good rule. I'll put it in my book. <br><br>Thanks for the help guys.<br><br><div><span class="gmail_quote">On 7/26/06, <b class="gmail_sendername">Michael Proctor-Smith</b> <<a href="mailto:mproctor13@gmail.com">
mproctor13@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On 7/26/06, Joel Witherspoon <<a href="mailto:joel.witherspoon@gmail.com">
joel.witherspoon@gmail.com</a>> wrote:<br>> If this is a dumb question, let me know.<br>><br>> I'm running CentOS 4.3 with Apache 2 running as user:group Apache:Apache.<br>><br>> My /var/www directories are owned by root:root all at 755
<br>> My /etc/httpd directories are owned by root:root and at 755<br><br>The above on my systems are all root:root 644<br>> except my logs,<br>> modules and run - they are at 777<br>actual modules are root:root 755, logs, modules andrtun are links
<br>hence 777 check the permission on actual files. Logs do not need to be<br>owned or writeable by any other then root because they are opened<br>before apache changes user from root.<br><br><br>> I'm not providing user directories
<br>> I am using the cgi-bin<br>I don't use cgi-bin so can't answer that.<br>> I'm trying to secure my Apache system as much as possible.<br>><br>> Should I change the directory user:groups to apache:apache for the
<br>> /etc/httpd and /var/www, /var/cgi-bin?<br>NO!! Apache if some unknown code was run then apache change its configuration.<br><br>> What is the best way to secure apache with this setup?<br><br>My rule of thumb is have any file/directory that that apache does not
<br>need to write to be owned "ANY" user other then apache.<br></blockquote></div><br>