File ownership in WebsiteRoot
Duke Normandin
30 November 2010, 15:53
I found a blog dealing with the setup of a super-secure Hiawatha server.
In this blog, it is suggested that /var/log/hiawatha/ be chown to www-data.
Should all files under the WebsiteRoot also be chown www-data? The default,
out-of-the-box installation has everything owned by "root root". TIA....
Hugo Leisink
30 November 2010, 22:21
If www-data is the user for Hiawatha, then I don't recommend it. Because the webserver is then able to change website content. In case of a remote exploit, your website can be defaced.
Duke Normandin
1 December 2010, 03:02
So leave the file ownership as "root root" - is that what you are saying?
Hugo Leisink
1 December 2010, 09:00
That's one option. What I always do is create a user 'webadmin' and place all websites in the homedirectory (/var/www) of that user. All files are owned by this user. This way, the webserver cannot change website files and you don't need root access to change a website.
Duke Normandin
1 December 2010, 18:23
Excellent! Thanks...
This topic has been closed.