httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron W Morris <aaronmor...@mindspring.com>
Subject Re: [users@httpd] remote update of the websites
Date Sun, 25 Apr 2004 03:57:25 GMT
Ksenia Marasanova wrote:
> Hi list,
> 
> I'm planning to automate the process of updating my websites and was 
> wondering how other people do this.
> Currently It's quite a procedure:
> 
> - scp files to the webserver (as a regular user)
> - su to root
> - copy files to the www directory
> - chown files to www:www (if needed)
> - chmod files to r--------, directories to dr-x------, cgi scripts to 
> r-x------ (if needed)
> 
> In the ideal situation, I'd like to have an update script that will just 
> copy updated files tot the webserver and taking care of everything. But:
> - I don't want to open any other ports but ssh
> - I don't want to allow root remote access
> 
> Actually I don't want to use root login at all, prefer to do everything 
> as a regular user. But if I understand things correctly, than I'll need 
> to make this user the owner of the web files... right? Does it  open any 
> security holes?
> 
> Appreciate any help!
> 
> Thanks,
> Ksenia.
> 

It is not less secure as long as you secure the rest of your box.  You 
could have the server running as nobody and the files owned by a regular 
user (files mode 644, dirs/CGIs 755).  Having the files owned by a user 
that cannot log onto the box is ultimately more secure, but makes 
administration/maintenance more complicated.

Running the server as the same user that owns the files is generally a 
big no-no.  Even without the write bit on the files and directories, 
it's probably not as secure as you think it is.


-- 
Aaron W Morris <aaronmorris@mindspring.com> (decep)



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message