httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron W Morris <>
Subject Re: [users@httpd] remote update of the websites
Date Sun, 25 Apr 2004 03:57:25 GMT
Ksenia Marasanova wrote:
> Hi list,
> I'm planning to automate the process of updating my websites and was 
> wondering how other people do this.
> Currently It's quite a procedure:
> - scp files to the webserver (as a regular user)
> - su to root
> - copy files to the www directory
> - chown files to www:www (if needed)
> - chmod files to r--------, directories to dr-x------, cgi scripts to 
> r-x------ (if needed)
> In the ideal situation, I'd like to have an update script that will just 
> copy updated files tot the webserver and taking care of everything. But:
> - I don't want to open any other ports but ssh
> - I don't want to allow root remote access
> Actually I don't want to use root login at all, prefer to do everything 
> as a regular user. But if I understand things correctly, than I'll need 
> to make this user the owner of the web files... right? Does it  open any 
> security holes?
> Appreciate any help!
> Thanks,
> Ksenia.

It is not less secure as long as you secure the rest of your box.  You 
could have the server running as nobody and the files owned by a regular 
user (files mode 644, dirs/CGIs 755).  Having the files owned by a user 
that cannot log onto the box is ultimately more secure, but makes 
administration/maintenance more complicated.

Running the server as the same user that owns the files is generally a 
big no-no.  Even without the write bit on the files and directories, 
it's probably not as secure as you think it is.

Aaron W Morris <> (decep)

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message