4

I have a directory with the following details:

drwxrwxr-x 6 root devs 4.0K Sep  9 14:57 project_dev

Now I want www-data (Apache daemon) to have an access to this directory, so in my mind I am planning to add www-data to group devs. However I fear that I would cause wreckage if I execute this:

usermod -a -G devs www-data

Inputs please.

Frands Hansen
  • 4,617
  • 1
  • 16
  • 29
Leandro Garcia
  • 433
  • 2
  • 7
  • 15

1 Answers1

3

You won't break anything, but you might cause a security issue, since anyone accessing the www-data account (php scripts, unpatched, hacked pages, etc.) will get read/write access to everything that the 'devs' group has.

"www-data" already has read access to that folder, try limiting the write access to just the files it really really needs to write to.

mulaz
  • 10,472
  • 1
  • 30
  • 37
  • Appreciate your feedback, I'd think of this approach because I'm about to install WebSVN. That `project_dev` is a repository. Any suggestions? – Leandro Garcia Sep 09 '12 at 15:29
  • 1
    Can't he just change the group to www-data and add the dev group to www-data to give access to www-data and avoid the security risk? – Choy Sep 09 '12 at 15:41
  • 1
    @Choy: yes, that would work too. But then the devs would have access to all the www-data stuff (which is sometimes OK, sometimes not). Maybe a separate group, and adding the www-data and required devs to it? – mulaz Sep 09 '12 at 16:06