4

On a privately owned server with one website, is there any reason the files/directories within /var/www can't be group owned by www-data?

My understanding is that security risks with www-data having write access only arise if you have multiple websites running on the same box.

Trent Scott
  • 949
  • 1
  • 11
  • 28

4 Answers4

4

I wrote a simple script for my WordPress site. This script gives Apache only write-access to what it needs to write to. Everything else under the webroot is read-only. I think this is a good step towards a more secure site, and should be practiced.

#!/bin/bash

PATH=/bin:/usr/bin
WEBROOT="/var/www/www.example.com"

UPLOADS="${WEBROOT}/wp-content/uploads"

chown -R nobody:nogroup ${WEBROOT}
find ${WEBROOT} -type d -exec chmod 0555 {} \;
find ${WEBROOT} -type f -exec chmod 0444 {} \;

chown nobody:www-data ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz
chmod 0464 ${WEBROOT}/sitemap.xml ${WEBROOT}/sitemap.xml.gz

chown -R nobody:www-data ${UPLOADS}
find ${UPLOADS} -type d -exec chmod 2575 {} \;
find ${UPLOADS} -type f -exec chmod 0464 {} \;
pkhamre
  • 5,900
  • 3
  • 15
  • 27
  • Appreciate the script above (pkhamre) but no luck for me with wp-content/uploads on the equivalent in CentOS. I created my own www-data, since that is not default on CentOS-apache. useradd --system www-data cd wp-content/uploads; chown -R www-data:www-data . usermod -a -G www-data apache //thinking I'm going to let apache write files with sguid //still in wp-content... find . -type d -exec chmod 2575 {} \; find . -type f -exec chmod 0464 {} \; I also tried chmod 3575 on the directories as this sets sticky as well as setgid ...no luck, meaning wordpress still fails to upload media. Any ideas? –  Mar 02 '13 at 06:21
3

The principle of least privilege applies. Only give users the rights they need and no more.

In this case, if apache is only serving up pages, give the user acct no rights to edit. Possible risks include: changing file content or uploading new one; adding executable code to files, etc. These risks exists regardless of whether it is a single site up multiples. If the application has a need to edit a specific file, restrict permissions changes to that file.

uSlackr
  • 6,337
  • 21
  • 36
2

I wouldn't see why not. If there is one site, this should be ok. But do mind you might want to grant read only to some files. (well whitelist if they need write access :) )

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
2

Even if you have only one website, compromising apache user will enable the hacker to change the files under /var/www if the folder is writable by apache user.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • What if certain folders of my site need write access? Would you just change the ownership to www-data on those specific folders, leaving everything else as owned by a web developer account/root? – Trent Scott Apr 25 '12 at 14:29
  • 2
    You can change only the needed folders such as the folders that need to get uploaded files. – Khaled Apr 25 '12 at 14:30