CPG Dragonfly™ CMS

warden · Joined: Dec 16, 2004 Posts: 196 Location: North Carolina

This is a topic that I have been hesitant to start for some time now. Technically, this may not apply to DF but I know that there are some people here that know a lot more about Apache than others and I ask for your help since Dragonfly is involved.

This deals with Apache configuration and making the Dragonfly /cache folder writable at chmod 755 instead of 777.

I am building a home web server to host an initial DF site. Over time I will move others there, but for now, I only want to get the first one working correctly. The server Administrator is myself, with root access of course.

I have used commercial servers that worked fine with the cache folder readable and writable at chmod 755 with no errors showing on the DF page. But with the setup that I now have on my home server, it will only read/write correctly to the cache folder at chmod 777, which is more of a security concern than chmod 755.

How to I configure the Apache server to allow for DF to use the cache folder correctly at chmod 755 instead of 777? Or, should I not be concerned about it?

I am using webmin as a gui administration interface, if that helps, with Linux kernel 2.6, Apache 2.2.x, mysql 5.0.x, php 5.x. I currently have the file and folder creation octel set at 022 which does create files and folders at a chmod 755 default.

I could ask this on an apache forum board, but I don't know if I would ask it correctly, so I will ask here with the DF cache folder example. Thanks for any assistance.

DJ Maze

There are several things you should know about GNU/Linux.

What is 0755?
7 = owner (read + write + execute)
5 = group (read + execute)
5 = other (read + execute)

Who is the owner?
Well that depends on "who" created the directory.
Was it "apache", "root" or anyone else?
By default when you create a directory thru FTP the owner of the directory is the name of the person you used for login on the FTP

Who is the owner of the PHP process?
That depends how PHP is called. If you use PHP as Apache module it could be "apache" or "www-data".
When running PHP in FastCGI mode with chroot (change root) it can be anyone.

So, to properly configure your server you need Apache + Chroot + FastCGI + PHP and configure a "webuser" that owns all files and directories.

That way PHP is run by "webuser" and has write access to the directory of "webuser".

To further protect your system 100% make all files 0222 (read-only) and any other directory 0555.
That way there is no "normal" crack script that can modify any file.