Results 1 to 6 of 6

Thread: chmod and chown on /var/www/.

  1. #1
    Join Date
    Oct 2005
    Location
    Wabasha MN
    Beans
    2,571
    Distro
    Ubuntu

    chmod and chown on /var/www/.

    What is the best settings for ownership and access on the /var/www/ directory and all the files and directories under it?
    Information on my Main laptop. Information on my small laptop Dell 11 3000
    Using a Asus 3632QM laptop with 8gig RAM, 250 SSD.
    Machine Registered 366271, 366273, 366275.
    Registered Ubuntu user number 18630. Registered Linux user number 458093.

  2. #2
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: chmod and chown on /var/www/.

    If you are the only user on that machine you can chown it to yourself. If you are sharing it with a group, then there are other options involving group permissions. The important thing, from the web server's perspective, is that o=rx for directories and o=r for files and (except for fairly unique exceptions) there is no write access by the web server or its child processes.

  3. #3
    Join Date
    Oct 2005
    Location
    Wabasha MN
    Beans
    2,571
    Distro
    Ubuntu

    Re: chmod and chown on /var/www/.

    I have mine set like this
    drwxr-xr-x 38 irv www-data 4096 Sep 17 07:59 www
    I am the only user on the server so I changed owner from root to irv and am using the group www-data. I have all rights the group has executing and reading rights and others executing rights. I am thinking this should be about the way it should be setup.
    Information on my Main laptop. Information on my small laptop Dell 11 3000
    Using a Asus 3632QM laptop with 8gig RAM, 250 SSD.
    Machine Registered 366271, 366273, 366275.
    Registered Ubuntu user number 18630. Registered Linux user number 458093.

  4. #4
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: chmod and chown on /var/www/.

    You can use your own regular group, too, not just the user. Having www-data there is a bit risky because then it is one step away from giving write access to those files to the web server. Nothing bad is going to automatically happen but it peels away another layer of security. The user www-data exists to provide an unprivileged user for the main activities of the web server, the group www-data is largely an artifact of creating that user. The idea is to give the server the least amount of privileges needed to get the job done.

    Here you can see that a root process is started and then one or more under www-data is launced by that root process.

    Code:
    ps -efjH | sed -n '1p;/apache2/p'
    Some CMS tools might need write access to specific directories or files, but those can be dealt with on a case by case basis. In general, www-data should be kept from getting write access to the pages it is serving. Again, that's just one more layer.

  5. #5
    Join Date
    Oct 2005
    Location
    Wabasha MN
    Beans
    2,571
    Distro
    Ubuntu

    Re: chmod and chown on /var/www/.

    Are you suggesting I should maybe change my rights on the /etc/www/ and stuff under it? I have a couple of directories under www that I have audio files kept that I want other to be able to listen to. I saw on other server where group was set to www-data. Just wondering?
    Information on my Main laptop. Information on my small laptop Dell 11 3000
    Using a Asus 3632QM laptop with 8gig RAM, 250 SSD.
    Machine Registered 366271, 366273, 366275.
    Registered Ubuntu user number 18630. Registered Linux user number 458093.

  6. #6
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: chmod and chown on /var/www/.

    Quote Originally Posted by irv View Post
    Are you suggesting I should maybe change my rights on the /etc/www/ and stuff under it? I have a couple of directories under www that I have audio files kept that I want other to be able to listen to. I saw on other server where group was set to www-data. Just wondering?
    I would propose not using the www-data group for anything, leaving it instead for the web server's own exclusive use. At least one of the BSDs labels these special groups with an underscore at the start of the name so they are easier to spot, but the Linuxes don't do that, so it's harder to notice. There is some vague mention in the Apache2 documentation about setting User and Group but it does not cover the reasons. Again the idea is that the web server should not be able to gain write access to anything that it publishes, this is kind of a variation of the principle of Write XOR eXecute (W^X).

    If the audio files are under /var/www somewhere, presumably they are going to be readable by anyone already so no additional changes with groups are needed. The defaults for /var/www are world-readable. Otherwise, it is easy to add a joint group.

    There are a few cases where files and / or directories can be in the www-data group, but they are not so common. One case would be where you have some portion of the web server behind a password and you don't want the regular shell users to be able to read those files if they log in. Another would be when running a CMS, they sometimes want to write to a file or two, in which case SuExec in Apache2 can be used.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •