0

This question helped me quite a bit:

What's the best way of handling permissions for Apache 2's user www-data in /var/www?

I would like to take the above question further, I want to be able to use upload scripts for some web applications, host cms etc.

So, as it stands, all files /var/www/ are owned by root and belong to the group www-pub, all directories have 775 and files have 664.

I threw together a simple image upload script that grabs an image, creates a directory called "pictures" if it doesn't exist, and saves the picture. I created the files in a new directory within /var/www/ with a user called testuser1, belonging to the group www-pub.

So far so good, can access it in the browser... but, as expected the script cannot create the folder "pictures". If I create the folder manually and grant it 777 permissions, the script will execute as expected.

Is this the correct way to go about this? I have a feeling that the script itself shouldn't haven public write privileges. But it seems a bit tedious to set up individual permissions for directories that require write access from www-data, especially when it comes to some bigger projects. Is it even OK to have a directory with 777 permissions?

Any advice would be great, thanks!

Dave
  • 101
  • 3
  • It is almost never OK to set 0777. – Zoredache Jul 18 '13 at 23:40
  • agreed, and I'm not so hot on lordbray's answer. Do you think that it is better to create a group such as 'www-write', and put both users and www-data into it, have the same 774/664 permissions, and then assign these folders that need write access to 'www-write' for the group? – Dave Jul 19 '13 at 00:07

1 Answers1

-1

I am making the asumption that you are using Apache httpd

Make sure that httpd is running in the www-pub group. This can be checked in /etc/httpd/conf/httpd.conf Look for the section that is like:

User httpd
Group httpd

And change the group to www-pub then restart the server.

You may also need to run usermod -a -G www-pub httpd too. This will add the system user that apache runs under to the group.

Ofcourse, replace httpd with the user that apache is running under

  • -1. This is almost certainly a bad idea. It theoretically would mean any buggy script could then by abused to trash everything under `/var/www`. Ideally write access by the web server should be limited to a data directories. You shouldn't be permitting your web server to change anything related to the hosted web applications/pages. – Zoredache Jul 18 '13 at 23:48
  • arguably you are correct, however, you only have read access on the group permissions by default, only allowing write access to the directories that require it. Allowing the owner to write and such, but only allowing the server to read. which is inherrently more secure than allowing 'everyone' write access to the data directories. – lordbray Jul 18 '13 at 23:55