Changing file permissions for httpd directories

[bws0013]

Cookbook version

0.5.0

Chef-client version

chef-client version: 12.18.31

Platform Details

Centos 6

Scenario:

Due to security we would like the ability to change the default directory permissions from root to apache.

Steps to Reproduce:

httpd_service node['httpd']['http_service_name'] do
  action [:create, :start]
  mpm 'prefork'
  not_if { ::File.directory?("/etc/httpd-#{node['httpd']['http_service_name']}/conf.d")}
end

#httpd config file
httpd_config node['httpd']['http_service_name'] do
   instance node['httpd']['http_service_name']
   source (node['httpd']['enable_ssl'] ? 'httpd_ssl.conf.erb' : 'httpd.conf.erb')
   variables ({
     server_name: node['httpd']['server']
   })
   action :create
   notifies :restart, "httpd_service[#{node['httpd']['http_service_name']}]"
end

Expected Result:

Being able to change the group and user permissions. Changing the file permissions to 750.

[root@ej httpd]# ls -al
drwxr-x---.  2 apache apache 4096 Sep 28 14:09 conf
drwxr-x---.  2 apache apache 4096 Sep 28 14:11 conf.d

Actual Result:

[root@ej httpd]# ls -al
drwxr-xr-x.  2 root root 4096 Sep 28 14:09 conf
drwxr-xr-x.  2 root root 4096 Sep 28 14:11 conf.d

[iennae]

The httpd_config resource currently hard codes the ownership and mode of these files.

Additionally, the default configuration when installing httpd is to make these root:root, world readable. Based on https://httpd.apache.org/docs/2.4/misc/security_tips.html changing this to apache doesn't seem like it's a standard security recommendation. Specifically:

In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits.

This is why it's world readable so whatever user you have the webserver running as can read the configuration files. It also means that there can be per service run_user/run_group.

There is a lot of work that would have to be done to change this and have it still work. This is unlikely to be something that our team will work on. If I'm misunderstanding some aspect of this, please do add more information to this issue.