php Apache/CentOS 7:/var/www/html/ 由 root 拥有但创建的文件由 apache 拥有 - 我该如何解决这个问题?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28878816/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Apache/CentOS 7: /var/www/html/ owned by root but created files owned by apache - how do I resolve this?
提问by TylersSN
I have a fresh, unmodified install of Apache on CentOS 7. I notice that when I look at the folder permissions for /var/www/html it and it's content is owned by apache. When a file is created, however, its owner and group is Apache.
我在 CentOS 7 上安装了全新的、未经修改的 Apache。我注意到,当我查看 /var/www/html 的文件夹权限时,它的内容归 apache 所有。然而,当一个文件被创建时,它的所有者和组是 Apache。
Though html is owned by root:root, should all of the contents be owned by apache:apache? or [user]:apache with that user belonging to the Apache group? How should I go about this?
虽然 html 归 root:root 所有,但所有内容都归 apache:apache 所有吗?或 [user]:apache 与属于 Apache 组的用户?我应该怎么做?
Edit:Another question - do I wantto change this? I do not have a very good understanding of file ownership in Linux systems but it seems with this configuration that the newly created files (apache:apache) are prevented from taking action against files that already exist (root:root). This shouldprevent PHP hacks from being able to manipulate any existing files, right? Is this just the illusion of security though?
编辑:另一个问题 - 我想改变这个吗?我对 Linux 系统中的文件所有权没有很好的理解,但似乎通过这种配置,新创建的文件 (apache:apache) 无法对已存在的文件 (root:root) 采取行动。这应该可以防止 PHP 黑客操作任何现有文件,对吗?但这只是安全感的错觉吗?
回答by user3344236
Check your /etc/httpd/conf/httpd.conf file and search for user and group [e.g. User apache Group apache]. Those are the owners by default. In your website there is no need too add write permissions for files and folders assigned to user:group, but you can set readable by owner and others in order to be accessible via web.
检查您的 /etc/httpd/conf/httpd.conf 文件并搜索用户和组 [例如 User apache Group apache]。默认情况下,这些是所有者。在您的网站中,无需为分配给 user:group 的文件和文件夹添加写入权限,但您可以设置所有者和其他人可读,以便通过网络访问。
Updated answer: The main reason DirectoryRoot (/var/www/html) owned by root is security. You can leave root as owner of files and set group to apache. Regarding security you make sure apache group has read-only access to files [-> One first meassure]. The security is not an illusion. While files are owned by root and do not have rw access from others, it is hard for external attackers to gain write access to files [because this is the most common way to hiHyman a site].
更新的答案:root 拥有的 DirectoryRoot (/var/www/html) 的主要原因是安全性。您可以将 root 作为文件的所有者并将组设置为 apache。关于安全性,您确保 apache 组具有对文件的只读访问权限 [-> 第一项措施]。安全不是幻觉。虽然文件归 root 所有并且其他人没有 rw 访问权限,但外部攻击者很难获得对文件的写访问权限 [因为这是劫持站点的最常见方式]。
