Forum Moderators: coopster
Currently I have apache running under the group/user "nobody" (using cpanel WHM). So my web users have to set folder directories they want to write to to 777.
so user "newuser" has all file with user/group of "newuser" in /home/newuser.
To make a folder/files writable, have to set permisions to 777 since the apache user "nobody" is not part of "newuser" group.
Should I just add "nobody" to the "newuser" group?
Should I run everything under "nobody" group?
-Will this give apache access across site? For expample, /home/newuser be able to use php/apache to access /home/newuser2.
Should I just keep things they way they are?
Everyone's input is welcomed. I am a novice(nub) to server management.
In general there is no need for apache or php to write in user directories. I have all my HTML and script directories marked as read-only for Apache. One flaw in one PHP script somewhere on your server and some cross-scripting injections will allow a hacker to modify all PHP/HTML files he wants to.
I would at least make all user directories only readable by the Apache process, and blocked for users from the same group. I.e. mask 705 instead of 777. If users need access to some directories from the Apache daemon, they can change permissions to 707 for that specific directory. In no way you should allow that script directories are writable by Apache.
The 0 in 707 and 705 causes that the multiple users in your system can't see the contents of the other users to look for embedded passwords in script files etc.
