5

To make working with my webserver easiest I am proposing doing something like the following:

sudo chown www-data:www-data /var/www -R
cd /var/www
sudo find . -type f -exec chmod 664 {} \;
sudo find . -type d -exec chmod 775 {} \;

I have my day-to-day user added to the www-data group too.

My question is: is this a foolish/risky permission set? Is giving www-data group those permissions opening my server up?

Thanks Alex

Alex Hadley
  • 151
  • 1
  • 1
  • 5
  • Thanks for the answers. So is the problem that www-data user has access, or the www-data group? I.e. the first or second 7? –  Sep 19 '11 at 13:16
  • the problem is the apache process having write access, doesn't matter if via user permissions or via group permissions. – Carlos Campderrós Sep 19 '11 at 14:52
  • So, I have created a new group and set the owner of `/var/www` (`-R`) to `root:newgroup` where my everyday user is in `newgroup`. Am I now safe to set directories to `775`, and files `664`? – Alex Hadley Sep 20 '11 at 09:53
  • you should set permissions in directories to 2775, so new files and directories created there would be owned by the same group (`newgroup` in this case). There should be no worries now. – Carlos Campderrós Sep 20 '11 at 10:41

5 Answers5

7

Usually you just want to have upload folders or autogenerated files to be writable by the www-data user.

Anyway, the risk you are opening here is that if your web application has any bug/vulnerability that might allow an attacker to execute code on your server, this code will execute as www-data (the user the apache process is running) and it could completely delete all your websites.

Carlos Campderrós
  • 763
  • 2
  • 6
  • 17
  • Thanks for your reply. So shoudl /var/www and sub files/folders really be owned by a different group and user then? My everyday user I guess, since I'm the only one who uses the server? –  Sep 19 '11 at 13:22
  • Yes it's possible. Indeed that's the setup I use on my personal computer when I'm developing. If I need some folder to be writable by apache (www-data user), then just execute `chgrp www-data upload_folder` and `chmod g+ws upload_folder`. – Carlos Campderrós Sep 19 '11 at 14:51
  • Excellent, thanks for this. I saw in another question a recommendation to set ownership to root:group where group was a new group that any editing users should be added to. I guess that's the model to go for – Alex Hadley Sep 19 '11 at 14:59
0

It does sound risky, assuming www-data is the user exposed to the web server - you are essentially losing the write protection afforded by the ACL. The second option (775) will also raise the risk of an attacker being able to remotely run code on you machine.

0

In itself, no, if your web server is not configured to honor POST requests and such stuff. However, should any bug in the web server or its client scripts arise that allows to write into the filesystem (and, with the number of PHP scripts around, the probability of this happening is 1), your whole content becomes writeable. So: it's risky, and you should consider other alternatives.

thiton
  • 536
  • 5
  • 9
0

You shouldn't allow common users access to this directory. If a user doesn't need to write or execute from that directory they should not be allowed to do so. At a minimum, I would limit the permissions to 755. Only root (or a user with root access) and www-data should be able to write to this directory.

krs1
  • 115
  • 2
0

It's not a good idea to have write permissions on the entire folder, the most websites (for example: wordpress, joomla and magento) needs write permission on specific folders (image upload, file upload) A better way is to give write permission on folders and do not allow script (PHP, python) execution, always check if the user is uploading the right content, example, if you website allow an user to upload an image as it avatar, check if it is an image and not a fake image with PHP script inside. And the problem to have write permissions on the website root is if someone finds an vulnerability he could use that to write a new index.php file and 'hack' your website.

Michel Pereira
  • 123
  • 3