apache and File system permissions

Question

the default install of apache in CentOS or RHEL, looking at file system permissions for html directory in /var/www/

drwxr-xr-x. 2 root root 4096 Aug 13  2013 html

My website works, and I have no issues with it, however I would like to know why and when do we need to set the directory to apache:apache?

Thank you

Answer 1

Since Apache is not running as root (presumably, hopefully), it only has read permissions on the directory as part of the last o=rx. This is a good default, since it means that it cannot alter the directory, only passively read and serve files from it. Everything running under an Apache process (e.g. mod_php) thereby has the same restrictions. That prevents a lot of common rookie exploits, like allowing uploads of .php files into a public web folder; because Apache/PHP cannot write into the web folder.

You should assign directories that Apache/PHP/CGI should explicitly be able to write into to apache/www-data (depending on your OS/configuration). It's not typically a good idea to do this with any directory under /var/www, you should leave that read-only as much as possible. However, adding an application-specific folder to something like /usr/local/var/<my website> with write permissions for Apache and selectively sym-linking or mod_rewriting to it is fine.

Answer 2

When your website need permission to modify direction/file on web app folder, you have 2 choices: 1) chmod folder to 777/666 or 2) change owner of these folders/files to apache

Sometimes, change owner is prefer to chmod because of security reason.