DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd July 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Default apache documentroot

what is the ideal place for the apache document root. Both from a security and efficency point of view
The default usually is something like /usr/local/apache/htdocs.

Also what permissions to give the documentroot directory. So far have run the documentroot with root permissions but would it be better to run it with out root permissions.

thanks
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #2   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Apache's default is safe enough, and so are the root:wheel defaults. The only reason to deviate from that standard is when you're hosting a bunch of virtual hosts that need to be maintained by different people. In that case you'll want DocumentRoots in (for example) users' homedirs (like /home/user/www or /home/user/public_html) with the permissions set to these users so they can maintain their sites.
Reply With Quote
  #3   (View Single Post)  
Old 23rd July 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Default short url

Thank you for your reply
I was thinking of something like
Code:
/usr/docroot
for the documentroot .
just makes it easier to fill in absolute paths in scripts.
Does having the docroot so close to root cause any security problem. I cannot think of any. But just want to double check.
Also how do you manage sftp transfers of files using a client like cuteftp as it is not safe to allow direct root login. So if you login into cuteftp as a member of the wheel group but try to replace files owned by root I think it is not going to allow you to do that right.
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #4   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Quote:
Originally Posted by ijk View Post
Thank you for your reply
I was thinking of something like
Code:
/usr/docroot
for the documentroot .
just makes it easier to fill in absolute paths in scripts.
Well, scripts have variables, and you can make those pretty short
dir = /usr/local/apache/htdocs leaves you with $dir ..

Quote:
Does having the docroot so close to root cause any security problem. I cannot think of any. But just want to double check.
No, I don't think the difference between 'cd /' and 'cd ../../../' will deter anyone. And I don't think the document root will really influence where a hacker who manages to trick Apache into giving him a shell ends up on your filesystem.

Quote:
Also how do you manage sftp transfers of files using a client like cuteftp as it is not safe to allow direct root login. So if you login into cuteftp as a member of the wheel group but try to replace files owned by root I think it is not going to allow you to do that right.
Never allow straight root logins anywhere. Just chown the directory to the user maintaining the site using (s)ftp, or if there are several users maintaining the same site, put them in their own group and chmod the web files to 664. Apache does not care who owns the files, as long as they're world-readable. (--4).
Reply With Quote
  #5   (View Single Post)  
Old 23rd July 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Smile Thanks

Thank you for the comprehensive reply :-)
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #6   (View Single Post)  
Old 23rd July 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default Apache Security

From a security point of veiw you should be using jails. Take a look at ezjails in the ports tree.

Mod_security and IPF (firewall) , in ports, should also be considered.
Reply With Quote
  #7   (View Single Post)  
Old 23rd July 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

The problem with jails is the overhead of running multiple, separate instances of httpd, plus the need for a separate IP for each jail (and the limit of a single IP per jail).

In a lot of situations, these are not limitations and help a lot. In others, these are limitations that make jails unusable.

Each situation is different, and the tools need to be examined in that light in order to select the one that works best.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #8   (View Single Post)  
Old 23rd July 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default

phoenix,

I know if I was using a "Core2Quad Q9300 8gb DDR2 750gb" for a server, additional IPs wouldn't be a problem or issue. That being said, phoenix is correct, jails do have some issues and the need an IP for each jail is the major one for alot people.
Reply With Quote
  #9   (View Single Post)  
Old 23rd July 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

While it may not work for everybody, this is my very specialized setup...

I have a seperate /www filesystem. /usr/home/<username>/public_html is softlinked to /www/<username>. Inside /www/<username> is a directory for every domain each user has under their account.

The reason for this is /usr/home/<username> is generally chmodded 700 (or 750 with a very restrictive group assignment), so apache (which is running as it's own user/group) would not access anything within the directory.

/www/<username> is generally 750 with the owner as <username> and group set to apache's group. The domain folders below this directory are generally 750, however they can be set 755 and group set to user's primary group (to allow CGI scripts run through suEXEC to run directly in the web root).

Apache's DocumentRoot is /www, and each <VirtualHost> is set DocumentRoot to /www/<username>/<domain>.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP 5.2.6 and Apache 1.3 dialeight OpenBSD Packages and Ports 1 15th June 2009 03:04 AM
Upgrade Apache 1.3 mod_ssl to Apache 2.2 beandip FreeBSD Ports and Packages 11 26th March 2009 09:12 PM
Apache 1.3 vs. 2.2 windependence FreeBSD General 4 16th June 2008 10:10 PM
Apache SSL mike171562 FreeBSD General 0 5th May 2008 09:41 PM


All times are GMT. The time now is 06:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick