知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
Apache進程所有者: nobody
程序所有者: www
apache 可以讀取程序並運行,但apache 無法改寫代碼,/tmp等特殊目錄可以寫入操作
重置權限命令
chown www:www -R /www chown nobody:nobody -R /www/www.example.com/tmp find /www/ -type d -exec chmod 755 {} \; find /www/ -type f -exec chmod 644 {} \; chmod 744 -R /www/www.example.com/tmp
屏蔽訪問權限
<Directory> <DirectoryMatch> <Files> <FilesMatch> <Location> <LocationMatch>
並不是所有目錄和檔案都需要提供給用戶的,例如早期PHP項目中沒有使用框架,常常有include, config等等目錄需要屏蔽
例 24.1. Example for ECSHOP
<VirtualHost *:80> ServerAdmin webmaster@example.com DocumentRoot /www/www.example.com/ ServerName www.example.com ServerAlias example.com DirectoryIndex index.html index.php CustomLog "|/srv/httpd/bin/rotatelogs /www/logs/www.example.com/access.%Y-%m-%d.log 86400 480" combined <Location /data/> Order allow,deny Deny from all </Location> <Location /images/upload/> Order allow,deny Deny from all </Location> <Location /temp/> Order allow,deny Deny from all </Location> <Location /includes/> Order allow,deny Deny from all </Location> <Location /library/> Order allow,deny Deny from all </Location> <Location /plugin/> Order allow,deny Deny from all </Location> <Directory /www/www.example.com/images/> <Files *.php> Order allow,deny Deny from all </Files> </Directory> <Directory /www/www.example.com/js/> <Files *.php> Order allow,deny Deny from all </Files> </Directory> <Directory /www/www.example.com/themes/> <Files *.php> Order allow,deny Deny from all </Files> </Directory> </VirtualHost>