Should I chgrp web directories to dhapache?


#1

I use just one FTP user to upload to my web directories, so I’m wondering – can/should I just change the group of those directories to dhapache and remove world read and search permissions? like (before/after):

drwxr-xr-x me pg###### domain.example/drwxr-s--- me dhapache domain.example/Should I do the same for all the files inside? Should I set the group id thing on the web directories so any new files have group dhapache too?

I know I can’t change the group to dhapache myself but would support do it for me? :slight_smile:

Thanks for any help. :slight_smile:


#2

When you say you only use one FTP user, do you mean you yourself have only one on your account, or do you mean that you use one, but you have created others for one purpose or another? If I recall correctly, unless you have other FTP users with shell access, you probably don’t have anything to worry about; if you have only one FTP user, you definitely have nothing to worry about as far as group permissions are concerned. (Still need to worry about the rest of them, though!)

I doubt support would change your directories’ groups to dhapache, particularly because you would want it to apply to all new directories as well, and you wouldn’t be able to set up your own cronjob if the group were dhapache. What you can do, assuming you still think you need this, is follow the instructions on setting Unix groups.

emufarmers.com
Very little to do with either emus or farmers!


#3

Thanks for the reply Emufarmer.

I have just one FTP user, at all.

I was thinking that my web directories need to be read only by the web server, not everyone (after Security Issues).

I can’t change the group to dhapache myself because I don’t belong to that group.

I’m considering just the web directories, not the whole user directory – would that still affect cronjobs (or anything else)? I had guessed that changing the web directories’ groups would mean:

  1. I could keep uploading like before (I still own the files)
  2. Web server could keep serving as before (if dhapache can read and search)
  3. “World” could no longer read web files
  4. Everything outside the web directories would stay the same

#4

Socks,

If you read the entire post that you linked (and follow the link to the discussion on the DH status blog) I think you will find the problem (which was really easily enough fixed by tightening your own permissions - under suexec dhapache does not need access to script running as your user) has already been addressed by DH.

There is no reason why it should be harmful for “world” to read web files - they are, after all, for distribution. Just tighten up the other stuff, and you should be fine.

–rlparker


#5

Thanks rlparker.

My config files are owner-readable only but I was concerned that any shell user on the shared server would be able to list my web directories. You wouldn’t see anything really sensitive but it still seems like a bad idea.


#6

Yeah, I understand, but I believe that issue has been addressed (per DH Honcho Dallas), as other users on your server should no longer be able to do that (last time I tried, I couldn’t do it anymore :wink: ).

–rlparker


#7

Nevermind.