*nix based Basic Apache Security with Group Permissions

Hi guys, I thought I'd share some security info with you all about some basic things with file permissions you can do to make apache more secure.

As many of you no doubt know, all of the unix derived OSes use the unix-style file permissions. You basically set the permissions for user, group, and all other uses. This is, in my opinion, a rather simple yet elegant solution.

On my RedHat installation, apache has the following two directories:

There is also an apache user and an apache group.

Here's the dilemma:
User bob runs his little apache server off his cable connection. He wants to give other users access to his box via ssh, but still keep the source to all of his PHP closed. This is difficult because in order to give apache the ability to read the script for processing, he has to set his permissions to 644 (-rwxr--r--), which gives everyone else the ability to view the source of the file.

This is where groups come in to save the day.
Bob edits his /etc/groups and adds a line that reads:

This creates a group named 'site' with GID (group ID) 550, and tells the system that users bob and apache are members of that group.

Bob then sets the permissions on all his website files to 640 (-rwx-r-----) and his website directories to 750 (drwx-r-x---), and then does chown bob:site -R * from his web root directory. That tells the system that the owner is bob, the group that owns the file/directory is site, and to recursively apply that to all files down in that directory (make sure it's your web directory, ie: /var/www).

Now, because the user apache is in the site group, that user can then access those files and read them, but every other user on the server is prevented from accessing them. This is exactly what bob needs, so he's now happy enjoying his multi-user webserver.

Another tip for PHP developers: if you have a lot of files containing functions (especially those containing databse connect IDs and passwords), a good idea is to store them in a non-webroot folder. So say your webservers webroot is /var/www/html, you could create a non-browseable area in /var/www/nonbrowse so that there's no possible way to get at it from the web.

Just some ideas to help you create a more secure installation.