保护 Apache 站点权限
[英]Secure Apache Site Permissions
问题描述
I saw a recommendation in an article on website security that separate websites running on a web server should be running under separate users for containment, and to limit a breach on one site leading to infection of the other sites.
我在一篇关于网站安全的文章中看到了一条建议,即在 web 服务器上运行的单独网站应该在单独的用户下运行以进行遏制,并限制一个站点上的违规行为导致其他站点受到感染。
I am running an Ubuntu 20.04 LAMP server with public internet exposed personal websites.我正在运行带有公共互联网公开个人网站的 Ubuntu 20.04 LAMP 服务器。 They are set up as virtual hosts in Apache under /var/www/, but all are running using the standard www-data:www-data user and group.它们在 /var/www/ 下的 Apache 中设置为虚拟主机,但都使用标准的 www-data:www-data 用户和组运行。 How would it work to run them under different user accounts?在不同的用户帐户下运行它们将如何工作?
Do I simply create a new user & group, then chown the /var/www/directory to be owned by that user?我是否只需创建一个新用户和组,然后将 /var/www/directory 归该用户所有? How would that work with allowing Apache permissions to write to the sub-dirs then for patches, uploads, etc?如果允许 Apache 权限写入子目录然后进行补丁、上传等,这将如何工作?
1 个解决方案
解决方案1
0 已采纳 2021-01-24 23:11:34
Apache has it's own user and group (www-data or others according to the distribution it's runnin on). Apache 有自己的用户和组(www-data 或其他根据其运行的分布)。 To achieve what you want, you need to create a user for each virtualhost and make sure apache can read/write file/folders owned by this new user for example putting apache group into the new user's group (or the other way around, according to how you want to handle permissions).要实现您想要的,您需要为每个虚拟主机创建一个用户并确保 apache 可以读取/写入此新用户拥有的文件/文件夹,例如将 apache 组放入新用户组(或相反,根据你想如何处理权限)。
The logic "behind" is exactly the same you use to handle linux users and group permissions. “背后”的逻辑与您用于处理 linux 用户和组权限的逻辑完全相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.