Possible Duplicate:
What are the best linux permissions to use for my website?
I'm trying to get a canonical answer on how to set up permissions for apache vis-a-vis the web root (/var/www). According to this highly popular answer, giving apache write-access to /var/www seems ok, whereas elsewhere (see comments) it seems like a no-no.
Can someone shed some light? If this is a security risk in and of itself, can you describe exactly how it would be exploited?
Update:
Let's assume a private server, where the only two users we're concerned about are 'apache' and 'root'.
The key difference between the two links are that the first link sets permission 775 only to the folder. The second sets permission 775 to all files and folders under it as well as itself. The latter is the great problem as that makes all files executable. You don't want your user uploaded files being executed as an example.
With files aside, pertaining to the security of the folder itself:
If apache has full access to the folder, and it is a shared environment (such as shared hosting), other users (whether it be legitimate user or by a hacker) who can spawn apache processes can add/modify any portion of the shared web services through the apache user. If there is only single user serviced by this machine, I do not think there's any significant security difference between the two.
Giving a user write access to a directory gives that user write, modify, and delete rights to anything in that directory, regardless the owner or individual permissions of the files contained in it. The webserver user works on behalf of anyone who has access to websites it serves. In most cases, anyone is the general Internet, unless specific security rules are in place. Therefore, anyone on the Internet with basic knowledge could delete and/or modify files, or place undesired content in your directory structure to serve it out.
A recommended solution is to have a writable directory outside the public structure, which a secure script has access to, to write/present content to the public. If you absolutely must have a writable directory within the public structure, I would make it an obscure low-level directory that is never referenced for read purposes to the general Internet. But never the top of your website structure.
Unfortunately, there is no answer to the generic question of how to exploit a web facing server to write to the unprotected file-system. It would depend on the web server and supporting services (e.g.: PHP; JAVA, etc.) and exploits of the particular versions you are running, in addition to any insecure scripts (PHP; CGI; PERL; JAVA) that may be running on the website. The point is, as a web/systems administrator, you should not open write to your disk, putting complete faith in any of the above items to protect you. Also, it would be unethical to propagate such information.