Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Locking down /var/www properly

  1. #1
    Join Date
    Nov 2010
    Beans
    18

    Question Locking down /var/www properly

    It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

    Security of /var/www is left as-is.

    Security of the directories and subdirectories under /var/www have the following perm/user/group:
    drwxrws--- martijn www

    Security of files in those directories (recursive) is:
    -rw-rw---- martijn www

    martijn is the owner. www is the group.
    www-data is member of www.

    I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alright to me. Good enough at least.

    However, I stumble upon an issue. When a website updates itself, it will create some new files and whatnot. But if the www-data user creates a new file, this becomes the security:
    -rw-r--r-- www-data www

    This I don't want. I want any new files and directory to *inherit* from their parent. The security mask should be inherited, the owner should be inherited, and the group is already inherited.

    How do I achieve this? How do I make the security mask and file owners inheritable?

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    All the directories under /var/www/ are set to root:root with -rwx-r-x-r-x on my boxes.

    That is unless I have them being served from the user's home directory.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Sep 2006
    Beans
    7,634
    Distro
    Lubuntu Development Release

    Re: Locking down /var/www properly

    You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

    About the directories keeping the permissions, try setting the Set Group ID bit.

    Code:
    # do once
    sudo chgrp -R www /var/www
    
    sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
    sudo find /var/www -type f -exec chmod g=rws "{}" \;
    
    # repeat for each user:
    sudo gpasswd --add martijn www

  4. #4
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    Quote Originally Posted by Lars Noodén View Post
    You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

    About the directories keeping the permissions, try setting the Set Group ID bit.

    Code:
    # do once
    sudo chgrp -R www /var/www
    
    sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
    sudo find /var/www -type f -exec chmod g=rws "{}" \;
    
    # repeat for each user:
    sudo gpasswd --add martijn www
    I don't see the problem of www-data updating the files. This is a system user that Apache runs under. When you set the GID bit for all directories and files created by any user it has the www group set; correct?. The www-data user has limited abilities by design.

    If I was to do anything different I would just use the www-data group to begin with. Actually that is what I do. In fact I also provide the virtual hosts with a document root of /data/www/<virtual_host>. This is a separate partition (spindle). Do you see any problems with this set up. If so; what problems do you foresee?

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    It isn't a good idea to give www-data write access. If it needs anything, it is read access only.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    Quote Originally Posted by CharlesA View Post
    It isn't a good idea to give www-data write access. If it needs anything, it is read access only.
    Can you explain why that is?

    Edit: Maybe I should be more specific. I'm only giving write rights for www-data to the file system /data/www (the various document roots). This is not giving execute rights or access to the system files. We are only talking about data files here.
    Last edited by redmk2; September 11th, 2012 at 10:05 PM. Reason: clarification

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    www-data is the user apache runs as, and if apache was somehow compromised, they would have write access to that area of the file system.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  8. #8
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    Quote Originally Posted by CharlesA View Post
    www-data is the user apache runs as, and if apache was somehow compromised, they would have write access to that area of the file system.
    Not trying to argue, just learn.

    So what you are saying is that only the data is at risk; right?

    What is the case if we have mortal users (and a group such as www-users). What risks do we have there?

    The original reason I used www-data is that it was there already! Where can we find information on hardening Apache2?
    Last edited by redmk2; September 11th, 2012 at 10:21 PM. Reason: More clarification

  9. #9
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    I am not too experienced with hardening Apache, but if you allow www-data to write to your site's root folder, and apache is compromised, your site could potentially be compromised as well. Even if www-data doesn't have world writable access, it might leave a hole open if there was a privilege escalation exploit left unpatched.

    A compromised site can be modified to spread malware and the like.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  10. #10
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    Quote Originally Posted by CharlesA View Post
    I am not too experienced with hardening Apache, but if you allow www-data to write to your site's root folder, and apache is compromised, your site could potentially be compromised as well. Even if www-data doesn't have world writable access, it might leave a hole open if there was a privilege escalation exploit left unpatched.

    A compromised site can be modified to spread malware and the like.
    I guess I will have to create a new group. So much for using an existing www group in my situation. In my case the server is a test prototype and therefore is not connected to the internet.

    Take heed OP we need to find a way other than using www-data either in the group or as the the group itself.

    Thank you @CharlesA for your insight and patience.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •