15

I need some help setting the correct permissions or ownership of the apache document root. Here is what I need:

  • different websites stored in /var/www/html/<site>
  • two users should update/manage the websites through ssh
  • ownership should be different than the apache user (for security)

How can I do this? At the moment all files are world-writeable, which isn't good. The server runs CentOS 5.5

Thanks

Marco
  • 153
  • 1
  • 1
  • 4
  • For a more detailed answer with other options for securing a docroot, see http://serverfault.com/questions/357108/what-are-the-best-linux-permissions-to-use-for-my-website – Quinn Comendant Jul 06 '13 at 15:01
  • I think it's better to store each website in a separate location (don't put both at DocumentRoot, use 2 virtual hosts) then each sysadmin user owns only his own website and set the group owner of both websites directories as the Apache group – the accountant Jul 12 '18 at 03:49

2 Answers2

22

Create a new group

groupadd webadmin

Add your users to the group

usermod -a -G webadmin user1
usermod -a -G webadmin user2

Change ownership of the sites directory

chown root:webadmin /var/www/html/

Change permissions of the sites directory

chmod 2775 /var/www/html/ -R

Now anybody can read the files (including the apache user) but only root and webadmin can modify their contents.

Andy
  • 5,190
  • 23
  • 34
  • That looks good. But what happens if a user creates new files or copy updated files. Are those permissions applied automatically? Or does he need to chown and chmod everytime? – Marco Jan 20 '11 at 09:44
  • Copied files maintain permissions/ownership. Default file permissions for new files are handled by the `umask` command. More info here http://osr507doc.sco.com/en/OSUserG/_default_perms_new_file.html – Andy Jan 21 '11 at 10:57
  • 3
    you could make the dir setgid webadmin to help with new files – covener Jan 22 '11 at 02:48
  • 1
    ^ +1. The quick way would be: >> chmod 2775 -R /var/www/html/ – James Broadhead Jul 19 '11 at 16:24
  • @James ta, updated – Andy Jul 19 '11 at 17:34
  • In the final step, you might want to NOT set all files in this folder as executable. Rather just `chmod 2775 /var/www/html`, i.e. not recursive. – Elliptical view Feb 06 '19 at 06:11
2

I prefer to mount the partition with -o acl. This allows you to use the setfacl command to give set fine grained permissions on files and folders, instead of only specifying user-group-other permissions.

So put acl to your partition line in /etc/fstab, or remount with mount -o remount,acl /mnt/xy, and then give ownership of your web directory to nobody:nobody. Chmod to 770, and use setfacl to give write permissions only on the folders that need it, eg. give www-data (or the user your webserver runs as) write permissions for the upload folder, and give write permissions to your own user for the whole directory.

mkdir dir
chown nobody:nobody dir
setfacl -m u:www-data:r-x,d:u:www-data:r-x dir
setfacl -m u:www-data:rwx,d:u:www-data:rwx dir/upload
setfacl -m u:youruser:rwx,d:u:youruser:rwx dir

Now nobody can read your files, apart your webserver, and your own user. You can write to every file in the folder, and the webserver can only write into the upload folder.

K. Norbert
  • 437
  • 1
  • 3
  • 10