The user wants to let PHP write files in his /home/ directory, he is advising me to do usermod -a -G www-data username where username is his username. I wasn't sure if this was a security issue or not.
What is the best way approaching this?
Asked
Active
Viewed 547 times
1
ParoX
- 302
- 1
- 6
- 21
-
Given the setting (multi-user, web server), this question looks like material for [Server Fault](http://serverfault.com/). – Gilles 'SO- stop being evil' Aug 31 '10 at 21:02
2 Answers
1
The proposed command adds the user to the www-data group. This may give him unintended extra permissions, in particular he'll be able to access any file that's restricted to the www-data group. This is probably a lot more than you intended.
For example, suppose two users make this request and get added to the www-data group, and each user opens up ~/www-shared to the www-data group. Then each will be able to read and write to the other's www-shared directory.
Access control lists look a lot more appropriate for the stated purpose. This requires that your operating system and filesystem support ACLs. On Linux, make sure that the filesystem is mounted with the acl option. Then the user can run setfacl -m user:www-data:rwx ~/www-shared to share a directory with the www-data user.
Still, this problem sounds like something many people running web servers have faced before. So there may be a much better solution involving the Apache toolbox.
Gilles 'SO- stop being evil'
- 9,181
- 1
- 30
- 48
0
This is not a good idea because the user www-data will be in the group of the user. So the webserver may manipulate all files of this user.
Also, any other users on the system are then able to read and write from the files of the given user via a simple php script.
It's generally not a good idea to give the webserver more write/read access, than needed. So you might want to widen the permissions only in the directory (or even on the file) which needs write access. This can be an upload directory, for example.
like...
chgrp www-data /home/foobar/public_html/wordpress/uploads
chmod -R g+rwX /home/foobar/public_html/wordpress/uploads
Jan.
- 276
- 2
- 4
-
-
No, BHare.. That way the server is just able to write to the one specified directory instead of everything in /home/foo/. – Jan. Aug 31 '10 at 14:48
-
Addition: the command your user suggested makes the user "www-data" belonging to the group of that given user. See `man usermod` – Jan. Aug 31 '10 at 14:49
-
I always thought `usermod -a -G
` would append the to , but your saying the syntax is `usermod -a -G `. Strangly then, when i do `id username` it shows him apart of the www-data group. -
1Oh hell! You're correct! The last parameter is the username which will be in the www-data group then. Sorry for my false statement. So this situation is even more worse now. I'd remove him from this group ASAP and I'd stick to the smallest possible solution: chmod/chgrp *only* the directory where write access is needed. Not a whole web-root. And -if possible- move the write-enabled directories out of the document-root. – Jan. Aug 31 '10 at 16:31