Hi,

I'm building a web server based on F3 and need to set permissions for the webroot directory to 777 to allow a PHP script write to the directory. Starting with the basic sever install how should I set up the Users, Groups and permissions to run the web server securely.

Thanks,

Michael.

Start by not changing the permissions of the directory to 777. This means that everyone can write to your web server, and opens you to a local exploit. A default installation of the httpd package is secure, especially if you have SELinux enabled with the targeted policy (main menu, System Settings->Security level).

Your php script will be running under the apache userid (unless you change the configuration of the web server), and it will have write permissions where it is supposed to.

If you get a forbidden error and the permissions are correct (usually 644), make sure the file and directory contexts are set correctly. For example, if the php scripts are installed in a 'phppackage' directory in /var/www/html, you can issue the command:

ls -Z /var/www/html/phppackage

The files and directory should have a context of 'httpd_sys_content_t'.

If not, you can correct the context with:

chcon -R -t httpd_sys_content_t /var/www/html/phppackage

FC3 is the most secure version of Linux available, with the inclusion of SELinux. This document (http://fedora.redhat.com/docs/selinux-apache-fc3/) might be useful for understanding the interaction of Apache and SELinux, and this FAQ (http://fedora.redhat.com/docs/selinux-faq-fc3/) will also be helpful.

Hi,

thanks for the pointers, I have SELinux enabled and will check the permissions as per your instructions.

Who (user/group) should own /var/www/html?

I've lost track of my changes!

Thanks,

Michael

In general, user 'apache' and group 'apache' should own the web accessible directories and files. There are some exceptions (like permitting user files in /home/), but for most content, apache.apache should be used

Hi,

the webroot directory is now set to:

drwxrwxrwx 4 apache apache

and the install scripts

drwxr-xr-x 4 web web (ftp account for script install)

The scripts have a context of 'httpd_sys_content_t' and are 755:

-rwxr-xr-x web web root:object_r:httpd_sys_content_t

However the scripts still can't write files to the webroot?

Kind regards,

Michael.

What error message is generated (usually in /var/log/httpd/error_log)? Also, check /var/log/messages to see if an SELinux error is generated.

Hi,

the script generates the following SELinux error message in /var/log/messages

Dec 8 14:20:06 nw10 kernel: audit(1102515606.692:0): avc: denied { write } for pid=2517 exe=/usr/sbin/httpd name=html dev=dm-0 ino=816169 scontext=root:syste\
m_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir

Kind regards,

Michael.