什么是Apache的可写目录的权限为最佳实践? [英] What are best practices for permissions on Apache-writable directories?
问题描述
有时我想允许用户通过Apache上传文件。有两种不同的方法我可以设置权限,以便Apache可以上传的文件写入到目录中。
Sometimes I want to allow users to upload files through Apache. There are two different ways I could set the permissions so that Apache can write the uploaded files to the directory.
-
我可以让Apache正在运行的目录的所有者的用户,这样它看起来是这样的:
I can make the user Apache is running as the owner of the directory so that it looks like this:
drwxr-XR-X 2 WWW管理68 2007年9月24日UPLOADEDFILES
我可以给写权限为他人,其中Apache是别人之一:
I can give write permission to "others" where Apache is one of the others:
drwxr-xrwx 35埃格伯特管理1190 3月9日13:17 UPLOADEDFILES
时比其他这些安全呢?
推荐答案
最严格的访问,在这种情况下,独占访问 WWW /管理员经许可 0750 ,永远是最安全的。需要注意的是,在上述权限掩码,谁是用户既不 WWW 也不成员管理不允许访问目录中所有内容;这是为了为降低未授权方登录到潜在机密信息的系统增益访问的可能性由用户上传。
The most restrictive access, in this case exclusive access to www/admin with permission 0750, is always the safest. Note that, in the permission mask above, users who are neither www nor members of admin are not allowed to access the contents of the directory at all; this is in order to reduce the possibility that an unauthorized party logged into the system gain access to potentially confidential information uploaded by users.
不要忘了,你也有第三,极为灵活的选项大多数* nix平台,即使用的 setfacl的 。 ACL是什么可以与常规的权限位和所有权的方法来实现的超集。当复杂的安全设置面临ACL是选择的选项(包括每个用户的权限,默认所有制,等等 - 但你可能需要先添加 ACL 到 / etc / fstab文件在卷上托管你的目录安装选项,请参阅男人安装)。你可以选择是否要使用ACL两个或两个以上的用户需要访问到相关目录而不,比如说委员,管理组。
Do not forget that on most *nix platforms you also have a third, extremely flexible option, that is, setting ACLs using setfacl. ACLs are a superset of what can be achieved with the regular permission bits and ownership methods. ACLs are the option of choice when confronted with complex security setups (including per-user permissions, default ownerships, etc. - but you may need to first add acl to /etc/fstab in the mount options of the volume hosting your directory, see man mount.) You may choose to use ACLs if two or more users need access to the directory in question without being members of, say, the admin group.
这篇关于什么是Apache的可写目录的权限为最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
