Securing a writable folder

[thecoalman]

I'm trying to lock down a couple folders some web applications can write to as much as possible. What's the "best" way to do it. I see there is some apache modules for doing this such as suphp but what in your opinion is the best way to do this.

Right now I have the folders set with apache as the owner with permission set to 755, I'm getting conflicting information on this as well but since it's my VPS and not on a shared host if I understand it correctly that is the best option for my own environment?

[jason]

Yeah, that's probably the best way to do it. Much better, IMHO, than having "777" directories lying around on your server.

FWIW, I'm using suPHP on my VPS for various reasons, but if I weren't I would probably do it the way you do. The advantage of suexec/suPHP is that scripts run as the owner of the account and can, therefore, generally only access files in that account. If an app like Wordpress gets exploited and you're using suPHP the damage is generally limited to the account where it is running. If the server is running as Apache, the exploit will try to branch out into other accounts if can find and may be successful. With the former you may end up with one completely trashed account that you have to restore from backup. With the latter, you may end up with lots of exploit code spread thinly across the entire server. Pick your poison.

--Jason