Apache进程所有者: nobody
程序所有者: www
apache 可以读取程序并运行,但apache 无法改写代码,/tmp等特殊目录可以写入操作
重置权限命令
chown www:www -R /www
chown nobody:nobody -R /www/www.example.com/tmp
find /www/ -type d -exec chmod 755 {} \;
find /www/ -type f -exec chmod 644 {} \;
chmod 744 -R /www/www.example.com/tmp
屏蔽访问权限
<Directory> <DirectoryMatch> <Files> <FilesMatch> <Location> <LocationMatch>
并不是所有目录和文件都需要提供给用户的,例如早期PHP项目中没有使用框架,常常有include, config等等目录需要屏蔽
例 16.1. Example for ECSHOP
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot /www/www.example.com/
ServerName www.example.com
ServerAlias example.com
DirectoryIndex index.html index.php
CustomLog "|/srv/httpd/bin/rotatelogs /www/logs/www.example.com/access.%Y-%m-%d.log 86400 480" combined
<Location /data/>
Order allow,deny
Deny from all
</Location>
<Location /images/upload/>
Order allow,deny
Deny from all
</Location>
<Location /temp/>
Order allow,deny
Deny from all
</Location>
<Location /includes/>
Order allow,deny
Deny from all
</Location>
<Location /library/>
Order allow,deny
Deny from all
</Location>
<Location /plugin/>
Order allow,deny
Deny from all
</Location>
<Directory /www/www.example.com/images/>
<Files *.php>
Order allow,deny
Deny from all
</Files>
</Directory>
<Directory /www/www.example.com/js/>
<Files *.php>
Order allow,deny
Deny from all
</Files>
</Directory>
<Directory /www/www.example.com/themes/>
<Files *.php>
Order allow,deny
Deny from all
</Files>
</Directory>
</VirtualHost>
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
