Results 1 to 10 of 18

Thread: Locking down /var/www properly

Hybrid View

  1. #1
    Join Date
    Nov 2010
    Beans
    18

    Question Locking down /var/www properly

    It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

    Security of /var/www is left as-is.

    Security of the directories and subdirectories under /var/www have the following perm/user/group:
    drwxrws--- martijn www

    Security of files in those directories (recursive) is:
    -rw-rw---- martijn www

    martijn is the owner. www is the group.
    www-data is member of www.

    I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alright to me. Good enough at least.

    However, I stumble upon an issue. When a website updates itself, it will create some new files and whatnot. But if the www-data user creates a new file, this becomes the security:
    -rw-r--r-- www-data www

    This I don't want. I want any new files and directory to *inherit* from their parent. The security mask should be inherited, the owner should be inherited, and the group is already inherited.

    How do I achieve this? How do I make the security mask and file owners inheritable?

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    All the directories under /var/www/ are set to root:root with -rwx-r-x-r-x on my boxes.

    That is unless I have them being served from the user's home directory.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Sep 2006
    Beans
    8,365
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Locking down /var/www properly

    You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

    About the directories keeping the permissions, try setting the Set Group ID bit.

    Code:
    # do once
    sudo chgrp -R www /var/www
    
    sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
    sudo find /var/www -type f -exec chmod g=rws "{}" \;
    
    # repeat for each user:
    sudo gpasswd --add martijn www

  4. #4
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Locking down /var/www properly

    Quote Originally Posted by Lars Noodén View Post
    You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

    About the directories keeping the permissions, try setting the Set Group ID bit.

    Code:
    # do once
    sudo chgrp -R www /var/www
    
    sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
    sudo find /var/www -type f -exec chmod g=rws "{}" \;
    
    # repeat for each user:
    sudo gpasswd --add martijn www
    I don't see the problem of www-data updating the files. This is a system user that Apache runs under. When you set the GID bit for all directories and files created by any user it has the www group set; correct?. The www-data user has limited abilities by design.

    If I was to do anything different I would just use the www-data group to begin with. Actually that is what I do. In fact I also provide the virtual hosts with a document root of /data/www/<virtual_host>. This is a separate partition (spindle). Do you see any problems with this set up. If so; what problems do you foresee?

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Locking down /var/www properly

    It isn't a good idea to give www-data write access. If it needs anything, it is read access only.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Jul 2008
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Locking down /var/www properly

    Quote Originally Posted by CharlesA View Post
    It isn't a good idea to give www-data write access. If it needs anything, it is read access only.
    Can you explain why that is?

    Edit: Maybe I should be more specific. I'm only giving write rights for www-data to the file system /data/www (the various document roots). This is not giving execute rights or access to the system files. We are only talking about data files here.
    Last edited by redmk2; September 11th, 2012 at 10:05 PM. Reason: clarification

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •