Locking down /var/www properly

**thany** · September 11th, 2012

It seems to me that there are as many ways to do this as there are sysadmins out there. This is what I came up with.

Security of /var/www is left as-is.

Security of the directories and subdirectories under /var/www have the following perm/user/group:
drwxrws--- martijn www

Security of files in those directories (recursive) is:
-rw-rw---- martijn www

martijn is the owner. www is the group.
www-data is member of www.

I need my websites to be writable by themselves. Please don't dive into this, this is just the way I need it. For this requirement, the security seems quite alright to me. Good enough at least.

However, I stumble upon an issue. When a website updates itself, it will create some new files and whatnot. But if the www-data user creates a new file, this becomes the security:
-rw-r--r-- www-data www

This I don't want. I want any new files and directory to *inherit* from their parent. The security mask should be inherited, the owner should be inherited, and the group is already inherited.

How do I achieve this? How do I make the security mask and file owners inheritable?

**CharlesA** · September 11th, 2012

All the directories under /var/www/ are set to root:root with -rwx-r-x-r-x on my boxes.

That is unless I have them being served from the user's home directory.

**Lars Noodén** · September 11th, 2012

You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

About the directories keeping the permissions, try setting the Set Group ID bit.

Code:

# do once
sudo chgrp -R www /var/www

sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;

# repeat for each user:
sudo gpasswd --add martijn www

**redmk2** · September 11th, 2012

Originally Posted by Lars Noodén

You should probably remove www-data from www. It is not such a good idea to leave the web server with general write access.

About the directories keeping the permissions, try setting the Set Group ID bit.

Code:

# do once
sudo chgrp -R www /var/www

sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;

# repeat for each user:
sudo gpasswd --add martijn www

I don't see the problem of www-data updating the files. This is a system user that Apache runs under. When you set the GID bit for all directories and files created by any user it has the www group set; correct?. The www-data user has limited abilities by design.

If I was to do anything different I would just use the www-data group to begin with. Actually that is what I do. In fact I also provide the virtual hosts with a document root of /data/www/<virtual_host>. This is a separate partition (spindle). Do you see any problems with this set up. If so; what problems do you foresee?

**CharlesA** · September 11th, 2012

It isn't a good idea to give www-data write access. If it needs anything, it is read access only.

**redmk2** · September 11th, 2012

Originally Posted by CharlesA

It isn't a good idea to give www-data write access. If it needs anything, it is read access only.

Can you explain why that is?

Edit: Maybe I should be more specific. I'm only giving write rights for www-data to the file system /data/www (the various document roots). This is not giving execute rights or access to the system files. We are only talking about data files here.