# Apache: Secure user, group, and documentroot setup for production server



## nx (Jul 23, 2012)

Please forgive my noob questions as I (re)learn some of the basics of secure server setup:

My Setup
FreeBSD 9, a jail in it called webserver.mydomain.com, and apache 2.4.2 installed from source in the jail (so I can use the latest stable event mpm, although now everything is in /usr/local/apache244).
This will be a live production server that will be run behind an existing reverse proxy (in a jail) on another machine, so apache will listen on an unprivileged high port (8085+).
I will be the only one with physical access to all servers, the only person editing apache configs and maintaining the apps/OS, and most of the time the only one updating web content on it.
I may give someone chrooted sftp access to the documentroot folder to sync/update/backup web content.


Question 1
*For bare minimum security (using a jail or not), should I be running apache as if it is set up in a shared hosting environment?*

Something like this where the documentroot (mydomain.com) is symlinked to the home of user mydomain.com:


```
/usr/local/www/mydomain.com ---> /usr/home/mydomain.com
```

I've read that, for security and performance reasons, symlinking should be turned off in directories apache serves.
If so, what is the best way of doing this?
And am I gaining any security by doing this or am I better to just use what I'm doing in Question 2?
The only benefit I can see is if I want to give someone ssh/scp access, but this can be accomplished with chrooted sftp and not giving them a user account.

Question 2
*Should the apache user:group eg webserver:webserver own the subdirectories and files in documentroot?*
I've read that apache should only have read access to web server content, and as a new unprivileged user eg webserver.

What I've done so far:

Created a new unprivileged user for apache:


```
1) # pw groupadd webserver
```


```
2) pw adduser webserver -g webserver -d /nonexistent -s /usr/sbin/nologin -c "User and group Apache runs as"
```


Then I've created a new unprivileged user for owning content in the documentroot (same process as above) named webadmin.

And then I've made the unprivileged apache webserver user part of the unprivileged webadmin group.


```
pw groupmod webadmin -m webserver
```

This should give the apache user webserver read access to the documentroot's contents when I:


```
chown -R webadmin:webadmin /usr/local/www/mydomain.com
```


```
chmod -R 444 /mydomain.com
```

(mydomain.com ofc being documentroot)

This way the only way to change ownership of content in documentroot is to be root and chown content as webadmin.
*
Can I similarly change ownership to webadmin:webadmin and chown as 444 apache's config and log files??*

Am I doing this right?



Question 3
*If I do 1 and 2 - do I still need to run apache in a jail?*
I've read that jails can add unnecessary processing overhead to production servers. 
My main reason for using one would be to limit access to other network resources if an intruder gets into the jail.
But I already have a good server cloning and web content backup system, so re-provisioning a server isn't a big headache (yet) if it were hacked.

Thanks


----------



## quintessence (Jul 26, 2012)

Hello,

Q1:

Depends on your structure, you can always make changes in the global or personal virtual host document root, and because of that there is no need using symlinks (is not not secure and so on  ).
So if your users have a basic chrooted FTP access to the /home/www/mydomain.com or /home/www/mydomain2.com you can always place DocumentRoot for the correspondenting websites in the httpd-vhosts.conf same as home directories of your users.

Q2:
Depends on your needs. Example, you have a website that should be able to write in the folder cache, which is some typical structure for open source web site platforms, CMS and others, and always it is written that you should give permission *777* to the correspondeting file or folder, which is wrong, because is is enough to change the permissions of that file or folder to be able web server to writes in it. It is be accomplished by chowing the file/folder to the web server user, or if you have some more extended setup that aquires other (chrooted FTP) users to be able to write to the same file/folder the lazy *664* for files and *775* for directories

If you have an account root with password 1 to 6, and your sshd allows root login and it is opened for everyone, and ... a lot of things (a lot of A4 pages), yes they can go into your server 
The reason you mentioned as explanation - no, you don't need to run Apache in Jail if you only concern of this, you can just simple use chrooting Apache.


----------



## nx (Jul 26, 2012)

Thanks quintessence!


----------

