|
|
Combined Errata
Page 90
14th line, should read: # chown -R webuser.webteam /home/httpd
I recommend running Apache as a user other than the default "nobody" account on Linux, not because "nobody" is inherently an insecure account, but mainly because I avoid using any and all default accounts that can be found on all Linux systems. Just like I always disable the Guest account on an Windows 2000 system.
I would make the Web server run as a member of a group that has read-only access permissions to the Apache server's DocumentRoot and read/execute permissions to cgi-bin. But make sure both folders are owned by a user account different from the one under which the httpd listener processes run. This is what I intended to recommend in the 2nd edition of my Apache book, but what actually got printed is in error.
The group under which Apache runs is granted read access to the directory defined by DocumentRoot (to include PHP scripts, which don't require the execute bit to run). and read/execute access to all directories containing CGI scripts (Apache can read and execute the contents of cgi-bin, but CANNOT write them), sort of like:
# chown -R webuser.webteam /home/httpd
# chown -R 744 /home/httpd/*
# chmod -R 754 /home/httpd/cgi-bin/*
Apache would run as a member of the group "webteam", but would NOT run as the "webuser" account. Note that all other user accounts have read access only, and cannot write to or execute files in the Web directories. Note that, to create or edit files in DocumentRoot or cgi-bin, users will require access to the "webuser" account.
I hope that helps clear things up. The user www on pg 90 that you are changing permissions to write CGI scripts in cgi-bin is the same user created on pg 93 that is written in httpd.conf to run the httpd child processes. On Pg 90 it states not to allow Apache to write to to the cgi-bin. Pg 90 should read instead:
# chown -R webuser.webteam /home/httpd/cgi-bin
|
|
|
